AZ Chainsafe Bridge Audit FOR VOTE

Operations ╰ Funding | Submissions
,
1

@romeo and @sumamu and I are talking to the ChainSafe team to audit the Solidity contract ONLY. They have proposed the following.

Estimate: 1 eng-week @ USD$17,000/week (Which includes their discounted rate)
Duration: 1 week
Start date: TBD (We have an available slot for next week, or after mid-June)

Note: Our service involves two auditors independently checking code before coming together to compare results and produce a report. We then give you the opportunity to fix changes, followed by the compilation of a final report after those changes are made.

We asked for an additional discount and are waiting feedback. ChainSafe seems to have a very good reputation and @aliencoder recommended them over Certik. We also asked for them to tweet their report after we make recommended changes.

You can see some of the ChainSafe Clients here: ChainSafe Systems - Blockchain Research and Development

I am prepared to fund this with my own money and seek reimbursement from AZ at an exchange rate of $1.20 / $0.12 for every USD. I will not negotiate this rate. I need to form an LLC to sign this contract. I will need to file a tax return, claiming the income and expense and expose myself to audit.

If anyone else wants to take this on and bid a higher exchange rate (1.21 / 0.121 for example), please do so. Otherwise what does the community think about his proposal?

  • Yes I support this
  • No I do NOT support this
  • Yes I support this but bid a higher rate below
0 voters

UPDATED 24 April 23

ChainSafe is under contract. We have agreed to a lower price than 17K but there could be additional engineering time if they find any critical bugs. The community clearly support this initiative given the vote results. I am going to submit (2) AZs that total up to $17,000 USD per the terms above. Once approved and the assignment is complete, I will request funding for the actual cost spent. I will document and support those costs.

AZ#1 = $12,000 USD
4,157 ZNN @ 1.20 = $4,988
50,000 QSR @ 0.12 = $6,000

AZ#2 = $5,000 USD
10 ZNN @ 1.20 = $12
50,000 QSR @ 0.12 = $6,000

AZ1 + AZ2 = $17,000
$10,988 + $6,012 = $17,000

3 Likes
2

security is important, def pays for itself

1 Like
3

It’d be great to get the solidity contract audited.

Do they have the capability/willingness to audit the NoM code updates as well? Any idea on price for this?

I assume it would cost quite a bit more, but may be worthwhile given the potential impact of a bridge hack.

4

We haven’t asked yet for anything else, need to solve a few issues first before moving ahead with this audit (KYC, payment etc) and then see where it goes

5

This is exactly the kind of community initiative that moves the entire project forward. I’m backing @0x3639 and I think the sooner we get it done, the better. There was an opening next week and if we’d manage to get that one we might even have the bridge audited before it’s even launched.

As I mentioned on TG, ChainSafe even developed a bridge (Sygma) so they must have the necessary experience to audit one.

6 Likes
6

Awesome. Thank you. I’m ready to go once they get back to us on a final price. We can have them signed up by tomorrow.

4 Likes
7

I support that even if I still think Gorg is Mr. Kaine

1 Like
8

looks like everyone supports this. I’m trying to work out final details today. Will report back.

4 Likes
9

We come to an agreement. I will be signing the agreement and they will start work on Monday next week. They have agreed to a lower price but I might be subject to a confi, so I need to read that before sharing the number. It’s less than the 17K approved in the vote above.

FYI - @sumamu @aliencoder

5 Likes
11

I removed the Scope of Work. I want to double check it’s not confidential.

12

Thank you for your services ser!!

Since Chainsafe’s going to be initiating the bridge’s audit on Monday- wouldn’t it be more reasonable to push the launching of Sumamu’s bridge until they give the green-light?

3 Likes
13

Absolutely, the deployment of the bridge solidity contract will be postponed until after the audit is completed and all vulnerabilities are resolved (if there are any).

The network upgrade featuring the bridge embedded contract should stay on course.

3 Likes
14

I think this topic should’ve been in ╰ Funding | Staging category otherwise we can make a new major category for security. It’s not entirely a development task while it does touch the subject. If that’s okay, I’d like to move it. Also the az tag used is not what we use here to highlight an AZ candidate, we use the staging sub-categories cc @SugoiBTC

15

AZs submitted for approval.

image
image1024×1176 191 KB

image
image1015×1174 191 KB

2 Likes
16

Thank you for pushing this forward 0x, great work. Did I understand correctly that ChainSafe may bill more than the estimated $20k if they find a critical bug they need to investigate?
If the actual expenses go over $20k, I’m assuming you’d make a third AZ request to cover them?

1 Like
17

It’s only fair.

1 Like
18

The actual cost is less than 20K. I’ll DM you the amount. By asking for up to 20K we should have enough to code the audit, filing fees, and time to research 1 or 2 critical bugs. If we exceed 20K I would need to ask for a 3rd AZ to cover that cost, but I don’t think we will blow that budget.

3 Likes
19

It’d be good if we can link the results of the audit here in this thread (in addition to whereever else it’s being posted). I’m making a thing which discusses the bridge, and my link about the chainsafe audit goes to this forum post.

20

We’ll create a dedicated topic and pin it when the results are in I think, will give newcomers confidence when searching info about the bridge hopefully

2 Likes
21

I just made the first payment to ChainSafe - $7500.

6 Likes