[DRAFT] Code Commitment Tool Mission Request

šŸ¹ Mission Requests
,
1

Delegate Mission Request Summary:
As a part of increasing technical decentralization, it is critical for the community to have assurance that the smart contracts running on chain align with audited code. This mission proposes creating a tool that can attest to the alignment between onchain smart contracts with Github commit information.

(Note: This idea is drawn from the example listed in Intent 1, ā€œAttestations of onchain smart contracts with github commit informationā€)

S5 Intent: Intent 1: Progress towards technical decentralization

Proposing Delegate: Gonna.eth

Proposal Tier: Fledgling

Baseline grant amount: 25k OP

Should this Foundation Mission be fulfilled by one or multiple applicants: One

Submit by: To be set by Grants Council

Selection by: To be set by Grants Council

Start date: ASAP

Completion date: Within 12 months

Specification

How will this Delegate Mission Request help accomplish the above Intent?

  • Technical decentralization requires confidence that the code being executed on chain aligns with the audited code on Github.
  • Especially given the ability for Optimism to be upgraded immediately (see criticism on L2 Beat), it is crucial that users have assurances about the code being upgraded to.
  • This tool could also further help the community by increasing assurance that individual dapps have had their final, deployed code audited.

What is required to execute this Delegate Mission Request?

  • Create a clear roadmap of functionality for the tool and how it will be used.
  • Develop the tool and integrate it into Optimismā€™s workflow.
  • Ideally, work with Etherscan or other block explorer team to integrate tool into block explorers.

How should the Token House measure progress towards this Mission?

  • Do we have an exact specification for what the toolā€™s UX should be?
  • Do we have an architecture document mapping out the full tool architecture?
  • Is the tool developed and functional on live contracts?

How should badgeholders measure impact upon completion of this Mission?

  • Is the tool integrated into Optimismā€™s deployment workflow?
  • Is the tool used by the community to increase assurance in the safety of upgrades?
  • Is the tool integrated into block explorers to help the full community?

Have you engaged a Grant-as-a-service provider for this Mission Request?
no

Has anyone other than the Proposing Delegate contributed to this Mission Request? If so, who, and what parts of this application did they contribute to? sponsoring Zach Obront

2 Likes
2

Hey @Gonna.eth thanks a lot for the description of this mission request!

So I am not sure I totally understand what you are saying here.

Isnā€™t the way to see if the deployed code matches what is in the sourcecode to get the sourcecode verified either in etherscan or sourcify?

I think I may be missing something.

3

Maybe some kind of commit by an attestation onchain where a node compiles x.sol at commit y, checks the deployed code? Doesnt seem too useful tbh. Though this could be interesting if you had a verify tool for certain standards so a contract can check x meets some spec. May also be useful to see if 2 contracts are the same.

4

As a smart contract developer and security researcher, the number of times I have looked at a github and later figured out it does not match the onchain version is quite large. In my opinion this would be useful as whitehats can be assured that the code they have matches onchain and can look for bugs there. Maybe this looks like a github action, or a site with a github integration (i.e. a config file that address X is the bytecode of the compilation of contract Y.sol).

I think the grant amount is a bit high for this.

1 Like
5

Thought about this think can do it for much less using Scry since all the onchain bs and core infras already there myself. Agree aswell that would be useful to have a way to check that source for a contract has been put somewhere. Think even 40k would be more than enough for this to be done even from ind dev, also gives me a new feature to build if apply to do it myself. Will approve incase others see value. Tbh its mostly just a tool to pull from a source, comp, then commit. If u have a few nodes then its chill to assume secure. Could use IPFS for DA. But yeah <40k

I am an Optimism delegate [Agora - OP Voter] with sufficient voting power and I believe this proposal is ready to move to a vote.

6

Wouldnā€™t integration into Optimismā€™s workflow require partnership with the Foundation or Labs?

7

Hey @Gonna.eth ā€“ just wanted to flag this as a proposal that still needs delegate approvals in order to move to a vote. If you are no longer interested in pursuing this proposal ā€“ please disregard this message. In order to see the delegates assigned to your proposal those can be found here. The deadline to provide feedback and approvals for Mission Requests is February 7th at 19:00

Cheers!

8

Glad to see the amount come down, In general itā€™s a reasonable idea but Iā€™d like to see more details in the proposal.

9

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

10

The Developer Advisory Board has reviewed this Delegate Mission Request, and voted on its acceptance or rejection. The vote results are as follows:

ACCEPT: 6 votes
REJECT: 0 votes
ABSTAIN: 0 votes

therefore, the Developer Advisory Board accepts this delegate mission request.

The Developer Advisory Board has reached this conclusion as our experience as security researchers ourselves. Github/onchain code mismatch is a constant problem across the ecosystem and we think this will help improve verifiability of contract source code and therefore improve technical decentralization.

We thank the proposer for putting this together.

1 Like