Proposal 28: Mixbytes security audit subscription service for PowerPool

Context

The security of any DeFi project is a key factor in the successful development and growth of its capitalization. The latest high-profile hacks on the market (more than $ 120 M over the last year) confirm the conclusion that the process of auditing smart contracts should be constant and built into the process of releasing new protocol functions.

However, hiring qualified and experienced auditors, or hiring them on a project-based basis, presents challenges to the availability of audit teams.Classic bug bounty programs cannot always attract the necessary specialists, since it does not guarantee compensation for the time spent on searching vulnerabilities.

We offer a security audit subscription service that will solve the above problems.

The subscription service offer is designed for blockchain projects with continuous code output that require availability and timeliness of the security audit process. It will be suitable for such projects like PowerPool since it triggers constant updates and improvements, which should be audited prior to the launch into mainnet.

The benefits of the subscription are as follows:

• Continuous security check without time loss and acceleration of deployment into production
• Security auditors capacity & availability guarantee
• Savings on audit as a service cost compared to ad-hoc audits
• The audit team is always up to date and stays current with the development context

Scope of work within security audit subscription service

For each new project \ smart contract submitted for an audit as a part of the subscription service, MixBytes undertakes to perform the following scope of work:

• Project architecture review
• Reviewing project documentation
• Reviewing logic and performance
• Mockup prototyping
• Checking the system for compliance with the stated requirements
• Detecting specific and known vulnerabilities and attack vectors (e.g. reentrancy, gas limit, flashloan attacks etc.) according to the Company’s internal checklist
• Identifying language-specific issues
• Analyzing invariants, mathematics and code self-consistency
• Analyzing cryptographic primitives
• Static analysis (by Slither)
• Exploits PoC using brownie test environment
• Interim report with the list of vulnerabilities with recommendations on improving the source code
• Re-audit after bug fixing
• Final PDF security audit report with statuses on every vulnerability found
• MixBytes’ GitHub public audits repository entry (optional)
• Announcement about passing the audit on the official MixBytes’ Twitter (optional)

Motivation:

• Depending on codebase volume the annual budget may amount to $200 000

• Recurring subscription to continuous audit and code review: the client pays an advanced fixed amount for each subscription period, MixBytes, for its part, guarantees constant availability of the audit group , consisting of 2 auditors and 1 tech lead , subject to the subscription package chosen.

• Since the auditors group will be constantly available, it will allow auditing the guaranteed amount of code every month. It will allow PowerPool team to deliver new products and updates faster and be sure that there is available audit capacity for new code.

Payments

The auditors team will be paid every month in CVP based on the monthly bill. Bills can vary based on the amount of work done. The team will send CVP from a multi-sig wallet at the end of every month based on the CVP/USDC exchange rate calculated at 1inch.exchange aggregator. For a year of audits, the budget of $200,000 in CVP equivalent will be reserved if this proposal would be approved.

Reports

The auditors team will provide detailed reports regarding their work with PowerPool code every month on the community forum, including security reports.

Approving this proposal, you vote FOR starting continuous security reviews by MixBytes paid by the CVP community

Rejecting this proposal, you declining continuous security reviews for PowerPool code offered by MixBytes

Estimated start date of work within the subscription: based on agreement with PowerPool core team.

About MixBytes

MixBytes() is a fully staffed team of engineers, auditors and analysts, experienced in decentralized systems and blockchain technology. We are among the top leading audit firms in the market. We performed security audits for such well-known DeFi projects like: Aave, Curve Finance, Yearn Finance, 1inch, PieDAO, Sushiswap, Cover protocol, Opium protocol, Aragon, Biconomy, Akropolis, etc.

I personally believe that attention from top firms of the crypto industry, such as MixBytes, Pessimistic, Wintermute, and FalconX is a great sign of growing awareness.

I’m all in for security audits, as I’m aware of how important they are for new features roll-out. From your proposal, I can understand that 200k USD is reserved, but we are getting charged monthly based on the amount of work you have done. Hence, the final cost depends on the number of services provided.

If I got you right, then I support this proposal, as it will allow PowerPool to get audits done fast and release new features as planned.

I know that xCVP code was ready a while ago and audits is the only thing left before the release. Given the amount of upcoming releases and new Indexes, and the amount of demand for auditor’s services, subscription and fund reservations is a very good idea.

Support

I think that it is a great step forward in the DAO industry. PowerPool starts to work with top-tier market-makers and security auditors being a DAO. It is really great and proves that DAO is an organization of the next generation. I am excited to see how PowerPool develops based on community decisions.

Let’s push it guys! When it will go live?

Audits = king.

Strongly for this idea.

Love subscription style btw.

FOR this. I believe this is a rare example when the word “agile” means something good in practice.
To move fast we need to have audited elements being shipped quickly and subscription type of service is the only way not to get stuck in jam of numerous protocol waiting for audits.
And MixBytes is a team of tech veterans which have been auditing defi projects before the summer 2020.

So this would mean that pessimistic (their proposal has already passed) and mix bytes will be auditors (if this proposal passes)?

My understanding - we need both teams

I agree. Its better to have both so it increases probability of finding bugs. So does this mean that when the team develops any code in the future, they will pre-book a slot with both audit firms at the same time?

mb not the both firms at the same time, but at least with one of them, so wee don’t need to wait for a month to launch xCVP next time

So true, whether it be one or two auditors we will def benefit from the reduced waiting time for audits which is a real bottleneck, it’s a painfully long wait

Team innovates and implements so fast whch is perfect and a reserved priority on fast and secure audits is exactly what we need.

I support this proposal since it is an essential first step to providing insurance alternatives to investors/stakers such as a listing on Nexus Mutual/Armor, in the case of user-facing insurance options, or Certik in the case of protocol-facing insurance options, or both which generates maximum publicity.