Aave on Polygon has an admin key

I recently discovered that Aave's Polygon Market is governed by an undocumented multisig admin key.

I requested information about this multisig from the Aave team.

The following reply was received:

I followed up immediately with these questions:

  • Who are the signers?
  • Are the signers Aave team members?
  • What countries are the signers in?
  • What power does the admin key hold?
  • Can the admin key be used to drain funds if compromised?

I received no response to these questions, followups or reminders to answer. Radio silence so far.

Current Facts and Assumptions:

  • We know that Aave has a 3-of-5 admin key on its Polygon implementation.
  • We do not know who the signers are.
  • We do not know if 5 individuals hold the 5 signing keys uniquely.
  • It is possible that 1 Aave team member holds all 5 keys.
  • It is possible that this key can be used to severely compromise the Polygon market.

I'll post again if/when I receive an update, or if the team releases documentation on the multisig.