[READY TO VOTE] smart contract auditing services

Mission Request Template

Delegate Mission Request Summary:
This is a continuation of the RFG-3 from last season: gather smart contract auditors to provide subsidized audits for promising projects determined by the grant council.

S5 Intent Intent 3

Proposing Delegate: Jack Anorak

Proposal Tier: Fledgling Tier and up

Baseline grant amount: 250k OP

Should this Foundation Mission be fulfilled by one or multiple applicants: Multiple

Submit by: To be set by Grants Council

Selection by: To be set by Grants Council

Start date: If applicable

Completion date: Aug 1, 2024

Specification

How will this Delegate Mission Request help accomplish the above Intent?

A major thesis I’ve held is that reducing overall costs of deployment will be a powerful draw for builders. Audits are often the single costliest part of deploying contracts, both in terms of money and in terms of time. Launch fees can easily run upward of $100k, and if a project doesn’t have the startup capital to fund this work, it will often turn to other sources of financing, such as soliciting VC or launching a token where otherwise unnecessary—or, worse, cut corners and deploy with a less experienced or reputable set of auditors.

This is highly relevant to us as an ecosystem: getting these fees subsidized can often make the difference between a deployment and no deployment—or between a safe deployment and one whose exploit has widely felt consequences. If we believe in the long-term growth that can be harnessed by network effects and cultivating an open building scene, this becomes a clear investment focus to ensure the future we want to see. And this has direct results for users, who need some reasonable assurances of security when using economically live products.

Meanwhile, grants issued by the Grant Council face certain limitations: specifically, builder grants are locked up for over a year, which can be suboptimal for projects that need liquidity on high-ticket costs like this today. However, an in-kind grant can help to get auditing work done—the thing many of these projects need—as early as possible while avoiding any risks associated with distributing the OP token.

What is required to execute this Delegate Mission Request?

To execute this Mission Request, we need:

  • A pool of reputable and experienced auditors.
  • A system for matching auditors with projects that require their services.
  • A mechanism for distributing the locked grants to the auditors and ensuring they are used as intended.

The exact structure of these kinds of grants is somewhat flexible and dependent on what sorts of proposals will come our way.

One structure that worked for RFGs: auditing firms and collectives propose to be labeled ‘Optimism preferred auditors’, preserving space for some number of grantee projects (or audit hours) at a certain payment schedule. They may also bid on providing additional capacity for projects that would themselves pay some sort of rate.

How should the Token House measure progress towards this Mission?

  • Auditors enlisted in the program
  • Projects matched with auditors
  • Audits completed
  • Projects successfully deployed following an audit

How should badgeholders measure impact upon completion of this Mission?

  • % decrease in number of security incidents relative to some established baseline
  • % decrease in overall deployment costs for builders
  • number of onboarded builders for whom auditing would have been a make-or-break obstacle
  • % audit coverage on OP Mainnet

Have you engaged a Grant-as-a-service provider for this Mission Request?
no

Has anyone other than the Proposing Delegate contributed to this Mission Request? If so, who, and what parts of this application did they contribute to?
no

9 Likes

hi @jackanorak, thank you for putting this together! I just wanted to note that the last 2 questions (“have you engaged a grant-as a service provider” and “has anyone other than the proposing delegate contributed”) have not been completely filled out.

2 Likes

Cannot stress enough how important audit subsidization is, any continuance of this initiative will promote a safer environment and future for many users and teams. As a top 100 delegate I believe this proposal is ready for vote. Delegate Commitments - #71 by MoneyManDoug

1 Like

Hi everyone! I am an employee of OP Labs and speaking on my own behalf.

Very excited about this opportunity. One of the key goals at OP Labs is to grow the Superchain Developer ecosystem and I’ve heard from DeFi developers often the limitation from moving from testnet to mainnet is being able to afford an audit.

Offering this service could be an additional value prop for deploying on the Superchain versus other decentralized compute offerings.

If this ends up being worked on would love to help app developers become aware of this opportunity.

7 Likes

I am an Optimism delegate [Agora - OP Voter] with sufficient voting power and I believe this proposal is ready to move to a vote. beep boop

4 Likes

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

1 Like

Thanks @jackanorak for the proposal. We believe it’s important provide affordable yet quality auditing services to promising projects within the Optimism ecosystem.

We are an Optimism delegate with sufficient voting power and believe this Request is ready to move to a vote.

1 Like

Great way to lower the barrier for developers and protect Optimism users from future hacks.

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

The Grants Council has opened early submissions as an Indication of Interest for this mission request here

For your application to be considered, the Mission request must pass the Token House vote on February 14th. Submissions will not be considered if a Mission Request is not approved on the 14th.

Just wanted to add a quick update here: Sherlock is one of the three whitelisted auditors from the past season.

The audit apps opened last week and Sherlock has seen a flood of interest from projects big and small for using these funds. I think the OP ecosystem will be very pleased with the participation and demand generated by the auditing RFG-3 from last season. The completed apps should start coming through later this week or early next.

Audit services really do seem to be the biggest barrier for protocol teams to launch on OP (or anywhere else).

2 Likes

Hi @Gonna.eth, I see that the submission period has been extended and I would love to submit a proposal on behalf of ChainSecurity (https://chainsecurity.com/).

It seems like the application page is currently disabled. I also see that projects have been submitting proposals beyond the newly indicated timeline, could we exceptionally do so as well?

Thanks a lot for your consideration & wishing you a nice day! Also tagging @jackanorak for visibility.

Submission period ended on Friday 29th. Sorry you didn’t make it I hope we can see you on the next round probably in june.

1 Like

Hi all, we’re currently working on whitelisting security service providers and creating a Subsidy Fund to subsidize projects building for other ecosystems - see here as an example for Arbitrum. We’ve put a lot of time into thinking through the intricacies and doing the groundwork to get a full market understanding. We’d be happy to help out in any shape or form.

For context, on working across ecosystems - our view as Areta’s Strategic Governance unit is to support improvements and growth of governance across the crypto ecosystem, solving complex problems first-hand. We believe streamlining procurement and other organizational processes across DAOs will lead to the ‘rising tide lifting all boats’ and improve governance in general to strengthen the decentralized ecosystem as a whole.

Hey everyone, Kristoffer from Hashlock here, one of the best smart contract audit firms globally according to CoinMarketCap and other sources.

Our deck is also available here

I’ll divide my post into a few sections, for easy readability, otherwise it’ll be too long of a post. I’ll try and keep it short and concise.


Background of Hashlock and recent OP work.

We have been working together with other foundations on similar models as proposed by several members in this thread. Let me highlight some of the different ways below:

peaq Network <> Hashlock
With peaq, we are the security firm for themselves, as well as their ecosystem. Every project building on peaq automatically gets a 50% discount from our standard services fees, not limited to audits. It also comes with the perk of short waitlist and better planning, vs the 6 months we saw last DeFi summer.

5irechain <> Hashlock
We are working together with 5ire on their grants program and their own security, where every winner automatically gets a pre-determined amount of audit credits, as well as discounts on top of this rate.

Fantom Foundation <> Hashlock
Same model for all the Sonic Labs winners here, as with 5irechain.

To highlight some of our most recent work on OP, we’ve finalized several audits for Exactly Protocol, which has been building on OP since March 2023 and Debita Finance, one of the Sonic Labs winners also deploying on OP.


Proposal discussion points

  1. The proposal emphasizes the significance of lowering deployment costs for builders, specifically targeting the high expenses and time commitments associated with contract audits.

We have observed that many builders are unable to afford a high-quality audit when transitioning from testnet to mainnet, leading to project losses due to being hacked within the first week. We have also witnessed the rise of C-tier and D-tier “auditors” during every DeFi summer, giving projects a false sense of security by compromising, again, due to budget constraints.

Therefore, Hashlock is very partnership focused in the sense that our entire process is tailored around working together more than once, to reduce timelines and cost for the projects, while delivering the best quality audits and other security services. We are also one of few - if not the only - audit firm that work with evolving codebases. I will write out our audit methodology in a separate post, for simplicity.

One thing I wanted to give a take on regarding pricing structures, is to be aware of auditors potentially increasing their standard service fee, since it’s now a foundation that pays, instead of a “small” project. Just a piece of feedback.

  1. The current grant system’s limitations are highlighted, particularly the issue with builder grants being locked up for over a year.

Here, I envision a partnership that just automatically triggers on some pre-determined values, e.g.
Project gets in touch with Hashlock during grant application, and get a quote for their audit. This is then immediately budgetted into the grant application and pre-vetted, so we can avoid long wait-times.

I know this is a DAO forum, but we’re more than happy to discuss further on a call of any kind, and formulate a relationship with OP on this necessary adventure.

Note: I could only post two links, but I’ll gladly supply more somehow if need be

1 Like

Hashlock Audit Reports

Hashlock’s Audit Reports are human readable to a non technical audience, and can be made public after vulnerabilities are resolved, to educate the public in an article style content piece. At the client’s discretion, Hashlock often promotes completed audits via industry body partners, social media, and other means.

Audit Methodology:

Engagement Kick-off: Schedule and conduct an engagement kick-off meeting where the

project scope is reviewed and agreed upon with the team. We establish communication plans - as well as the platforms - and develop the timeline and milestones. Lastly, we identify key stakeholders from all parties involved who need to be included in the engagement updates and escalations. We will be interacting with the client regarding findings and clarifications almost daily.

Initial Review: Understand the intended functionality of the contract(s) by interfacing with the development team and reviewing any provided documentation. This includes the setup of relevant tooling, Identification of process flow, critical paths, and critical functions.

Static Analysis: Examine the codebase for syntactical issues, potential vulnerabilities, and

adherence to best practices. Dynamic Analysis: Test the contract in various environments (including test nets) to see how it behaves under different conditions.

Gas Analysis: Determine the gas costs for major functions and identify optimization opportunities.

Manual Codebase Review: Our experts will manually review the codebase, keeping an eye out for logical issues that automated tools might miss.

Testing: Verify the existing test cases and recommend additional tests if needed to ensure

comprehensive coverage. Vulnerability Assessment: Employ a checklist-based approach to ensure all known smart contract vulnerabilities are checked.

Quality check: The report is quality checked by other Hashlock team members, before delivery.

Post-Audit Meeting: Discuss the findings with the client, explaining any issues found and

recommending possible solutions. Identify highlights of the project and opportunities for

improvement on a go-forward basis.

Re-review: Following a remediation period, the Client can re-submit code for a re-review of

relevant findings. We allow for two fix-reviews as part of our project cost.

Note: Many audit firms charge a day-rate, where Hashlock charges for the entire duration of the project, so there are no hidden or extra cost at any point during an audit

2 Likes