DXswap Scheme Audit Proposal

In the post Proposal Monitoring and Code Auditing, in the second section that is labeled “External Auditing Relationship,” I summarized my findings in looking for an auditing relationship for DXdao.

Of the current efforts underway by developers working on DXdao, the following require audits, in the order listed:

  1. DXswap scheme
  2. Omen arbitrator
  3. Wallet scheme
  4. New voting machine with refunds
  5. Guilds

Below is a draft proposal to work with independent auditor Phil Hofer, on auditing item 1, the DXswap scheme.

Phil Hofer (Sunfish Technology, LLC) is an experienced security engineer with four years of smart contract-related auditing experience. He has worked with dozens of clients to help secure over a billion U.S. dollars worth of cryptocurrency managed by smart contracts. His current and former clients include banks, “stablecoin” guarantors, DAOs, and large ERC20 token issuers. His professional practice also includes auditing of conventional security-critical softwareand firmware.

Draft DXswap Scheme Audit Proposal

DXswap Scheme Contract: https://github.com/nicoelzer/dxswap-scheme-preview/blob/master/contracts/schemes/GenericSchemeMultiCall.sol

Cost
$7200, paid in ETH in two parts, half upfront, half upon completion. Since DXdao can only pay in ETH for the time being, this proposal stipulates that if volatility negatively affects the dollar amount of ETH paid upon the proposal passing, then Sunfish Technology, LLC may make an additional proposal for the difference.

Scope
Includes a line by line review of the following:

  • contracts/schemes/GenericSchemeMultiCall.sol
  • contracts/votingMachines/IntVoteInterface.sol
  • contracts/unversalSchemes/UniversalScheme*.sol
  • contracts/votingMachines/VotingMachineCallbacks.sol

For the rest, enumerated below, documentation will be relied on for the purpose of the audit:

Timeline

The report will take four business days to complete, and will begin on a business day no earlier than September 8th. The report will be delivered at the end of the fourth business day of work. (For example, a start date of September 8th would mean delivery at end-of-day September 11th.)

The first half of payment is included in this proposal, and a proposal for the second half of the payment will be made upon the report being delivered.

THIS AUDIT IS PROVIDED BY SUNFISH TECHNOLOGY, LLC. “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SUNFISH TECHNOLOGY, LLC. OR ITS OWNERS OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS REPORT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

6 Likes

This is very important for DXswap and also important to continue to establish the reputation of DXdao. DXdao is cool but we don’t “test in prod”. We stress security.
This is also a great example how DXdao can get things done - quickly and efficiently. Hire good people to work on one-off projects. If successful and satisfied, continue with additional work.

3 Likes

let’s do it.

(posts have a 20 character minimum, so here)

2 Likes

Thanks for moving this forward John! Having an experienced, independend auditor on board feels like a perfect solution for our need – we cannot only ensure to deliver highly secure & trusted infrastructure/products but also make sure we can keep going fast.

Looking forward to the collaboration with Phil.

3 Likes