Motivation
Security is crucial for any blockchain project. The bugs cost a lot. One of the obligatory security measures every team must consider is timely security reviews of the code by third-party specialists. The usual scheme is develop-audit-recheck-deploy. However, for Powerpool, the development speed is very high, and the traditional approach doesn’t work well.
Instead of making big isolated releases, the team moves at a high pace and delivers updates of the code every month. This makes it hard to plan the audits and demands some pre-booked time of the auditing team, so it can quickly react to the inputs from the development team.
Specifications
We outline the following objectives of the continuous reviews:
- Increase the overall security of the final code.
- Increase the efficiency and decrease the cost of the development.
- Speed up the delivery of the security reports, allowing the team to deliver more code and product updates
We propose the following measures:
Dedicated time of the audit team. Each month we pre-book a fixed amount of time for the security reviews of the new code developed by PowerPool project. This allows us to have availability for security audits of PowerPool code when it is ready to be audited, and deliver the audit reports within a month.
- We book the timeslot at least one month in advance, so we can arrange our schedule accordingly. We advice PowerPool team to inform us about changes of the code delivery date as early as possible, so we have the possibility to adjust the timeslot.
- If the code is not ready for the audit by the beginning of the reserved timeslot, in most cases, we won’t be able to move the timeslot ad hoc.
- If the amount of time needed on the audit of the delivered code exceeds the booked time slot, the audit continues in the next month.
Of course, in any of “edge cases” we will actively cooperate with the PowerPool team to fulfill the needs of the project in the most timely manner.
Continuous project support. We make “global” recommendations on the system design, documentation, tools, and development practices as early as possible.
When the new code is delivered, we start to review all code changes and prepare the report with found vulnerabilities, bugs, bad practices, and inconsistencies with the planned functionality.
Cost
6600 USD / month
This includes 40 dedicated man-hours of the security team.
For reference, usually, we spend 40 man-hours on the audit of 1000 physical lines of unique code (sloc-p) written in Solidity, including preparation of the audit report, interaction with the development team, and one re-check of amendments made based on the result of the audit.
The payment procedure
The continuous security reviews service will be paid from the community funds. For this purpose, the team will send CVP from a multi-sig wallet at the end of every month based on the CVP/USDC exchange rate calculated at 1inch.exchange aggregator.
The address to be used for payments is:
Reports
The auditors team will provide detailed reports regarding their work with PowerPool code every month on the community forum, including security reports.
Approving this proposal, you vote FOR starting continuous security reviews by Pessimistic paid by the CVP community
Rejecting this proposal, you declining continuous security reviews for PowerPool code offered by Pessimistic