Proposal Monitoring and Code Auditing

With $11M worth of crypto in the treasury and a financial product suite, security is of the utmost importance to DXdao. I wanted to take this opportunity to point out a couple of key security initiatives.

1) Proposal Monitoring

It is important that DXdao REP holders are fully aware of proposals being made to DXdao so that they can vote/stake to prevent any malicious proposals from passing. There are three projects which help the DXdao community track proposals beyond just seeing them in Alchemy:

a) DAOstack is privately running a telegram bot and has invited DXdao developers to join this group.

b) AugustoL has developed a snapshot tool which can be run locally on your machine and gives a printout of current proposal activity:

c) Nico has developed the DXdao keybase security bot. The outputs can be seen in the dx_dao#Security channel

I encourage all DXdao members to use option b, and keep an eye on option c, in addition to cross checking these with the Alchemy UI: https://alchemy.daostack.io/dao/0x519b70055af55a007110b4ff99b0ea33071c720a/schemes

2) External Auditing Relationship

In accordance with my worker proposal, I have been exploring potential auditing relationships for DXdao. The DAOstack governance framework has been audited and the smart contracts backing Omen and Mesa, namely the Conditional Token Framework and the Gnosis Protocol, have also been audited. But in addition, DXdao has a few ongoing and upcoming efforts that will benefit from auditing. First, DXdao is adding integrations between the governance framework and other smart contracts. This includes adding DXdao as an arbitrator on Omen, managing fees and providing liquidity on DXswap, updating configuration of the bonding curve, and many other possibilities. Second, DXdao is exploring new governance contracts for Guilds that would allow communities within DXdao to exercise governance over specific products, allow specific communities to have a vote in DXdao, and also allow DXdao to provide governance as a service to projects such as DMM. Lastly, DXdao may make smart contract updates to products such as DXswap, Omen, or products not yet planned.

I will present my findings here and also make a recommendation for the path I believe DXdao should take. I spoke with three reputable name brand firms and two experienced independent auditors. One of the name brand firms was recently acquired by a larger organization and requires a registered entity as counterparty for any of its work, thus making an engagement with the DXdao infeasible. One of the independent auditors did not have availability until October. Presenting them all with the same audit request, I received price quotes from the other two name-brand firms and the other independent auditor. The price quotes from the name-brand firms are marked confidential. In an effort to respect this, I will refrain from naming the firms, saying the exact prices, or revealing the reference request. What I will reveal is that for the same audit request, the name-brand firms were about 2.5 times as expensive as the independent auditor. With the upcoming efforts of the DXdao, this could translate to an auditing bill in the hundreds of thousands of dollars just in the next 6 months or so. While the DXdao treasury has been doing well, and there is currently 9038 ETH in the treasury with a current value of $3.99M, my sense is that spending 10% of the ETH treasury on auditing in a matter of months is not prudent. And I recommend that the DXdao engage with an independent auditor in order to responsibly roll out product and governance updates while also being responsible stewards of the treasury.

The auditing posture can be revisited on a regular basis to account for new projections on the product roadmap and also the state of the treasury. Perhaps if the treasury grows, then engaging a name brand auditor will make more sense. If there is enough positive feedback from the community, I will help the independent auditor I approached make a proposal to DXdao for the next auditing priority selected by the developers working for DXdao.

4 Likes

I trust your judgment on this. Down to not get squeezed by big firms for a job that can be done just as well. DM me if you spoke with Zokyo already.

1 Like