Finished

JBP-206: Sponsor Code4rena Audit

Author

Anon

Cycle

24

loading

Title: Sponsor Code4rena Audit
Author: Nicholas
Date:2022-06-02

Thesis

Sponsor a $75k Code4rena audit of the v2 contracts, which will cost $100k plus a $10k deposit that will be refunded upon completion of post-audit evaluation (the Sponsor Task Refund).

Abstract

Sponsor a $75k Code4rena audit of the v2 contracts. This will cost $100k (incl. 25% fee) and also require that the DAO place a $10k deposit that is refunded when we complete the post-audit feedback form. In total the DAO is asked to

Motivation

Juicebox V2 contract integrity is a top priority for the securing the DAO’s future. This proposal will further bullwark the v2 contracts and also get many skilled devs’ eyes on the contract.

A word on different types of audits and bug bounties:

  • Traditional formal audits have an audit firm review the code in detail. Juicebox has already been through two of these.
  • A Code4rena audit bounty mobilizes a larger number of devs to work through the code and possibly spot bugs that the small teams of dedicated auditors missed. This is a good thing to do after a formal audit to get more eyes on the code.
  • Immune.fi (Update JBP-42 - JBX Bug Bountys) is a bug bounty intended for post-launch. If someone finds a bug, they can either exploit the protocol, or claim the Immune.fi bounty.
  • Each of these serves a different purpose and this is why they each deserve funding.

Risks

We spend money that would be better kept in the treasury given the bear market. The audit attracts little attention. The audit is delayed.

Specification

Full details for operations logistics are included in the Code4rena agreement. The DAO is not required to sign this document, but it details the expectations and responsibilities of all parties.

The multisig will send 110,000 USDC to 0xC2bc2F890067C511215f9463a064221577a53E10 no later than 20:00 UTC, June 18, 2022.

To secure the contest dates, the DAO must send 25% of the total (27,500 USDC) to the above address. If an individual member of the DAO pays this money up front to secure the contest time frame, the multisig should reimburse that DAO member directly, then pay the remaining 82,000 USDC to the above address.

Complete Sponsor Refund Tasks within 14 days of contest end to receive $10k refund:

> Sponsor shall evaluate the Findings by completing four (4) categories of critical tasks (“Sponsor Tasks”) within fourteen (14) days of the Contest End Date, unless otherwise agreed to in writing by both Parties. The categories of Sponsor Tasks are (i) assess potential duplication of Findings; (ii) independently evaluate severity of individual Findings, (iii) provide brief response to each Finding; and (iv) share steps taken to mitigate Findings if available

Contest start date: June 21, 2022

Contest end date: June 28, 2022

Rationale

Code4rena is an audit marketplace. Many participants compete to win an audit bounty. It has a good reputation and is trusted by many top protocols for audit bounties (most recently OpenSea Seaport).

Another audit would be a wise investment given that Juicebox’s future rides on the integrity and quality of the v2 code.

This will also attract attention to Juicebox v2 code amongst the elite set of developers competing in audit competitions on Code4rena. It will be a side benefit to be on their radar, and increase familiarity with the protocols mechanisms amonst this rarefied community.

A Code4rena is also a reputationally impactful service provider. It is a mark of quality to be amongst the top tier projects on the site, such as OpenSea, Backd, Alchemix, Aave, Badger, Velodrome, Pooltogether, Tribe, and so on.

Timeline

Coordinate with Code4rena June 1-14

Run contest June/July, their schedule permitting

Copyright and related rights waived via CC0.

Votes

loading