Hey all, I wanted to loop back here and talk about our decision to delay the proposal until next cycle.
At the end of the day, what this decision boils down to is rigor, and the precedent that we need to be setting as a Collective. While we had high hopes for the Sherlock audit competition, the turnout was stronger than anticipated! We had 333 people sign up to participate, and 60 people submitted at least 1 report.
In total, this incredible group of community members submitted 314 unique reports, which break down into:
- 149 suggestions for improvements on our specifications.
- 166 reports claiming to identify a bug or vulnerability.
After deduplication, these 166 reports further break down into:
- 6 high severity findings.
- 9 medium severity findings.
- A large number of findings or recommendations which are subjective in nature.
As stated in the initial proposal—the entire point of the Sherlock competition was to leverage the community find things. Our goal is to have all fixes merged into the codebase well in advance of the original go-live date.
At the same time, we haven’t yet open sourced the Sherlock results like we have for the rest of the Bedrock security reviews. At the end of the day—while we’re just as excited about the prospect of the Bedrock upgrade as the community, this is the first ever vote of the Token House in perhaps its most critical area of responsibility. Starting a vote before the community has all the information—and ample time to review it—just isn’t acceptable, and we shouldn’t be setting that standard. Code needs to be frozen.
So, despite our excitement, we decided not to finalize this proposal until all the information is public. Well in advance of next cycle’s discussion period, we’ll be providing a detailed analysis of the Sherlock results, and a new code-frozen release.
Speaking in my personal capacity for a minute, it’s moments like these that make me really appreciate having a governance community holding us accountable. Simply put, it’s a forcing function for rigor—it helps remind me that releases are not a race, but an exercise in polishing. This an all-too-common trap. While I’m sad to see Bedrock pushed out, I’m proud of the precedent being set.