Author:
Payout recipient:
Certik (wallet address TBD) * PeckShield (0xf87099C8EDE8Cb6267B9A1bF7bDfb98504062815)
Proposal date:
12/11/20211
Provide a comprehensive, 1-2 sentence summary of your proposal.
With the launch of V2.0 the JuiceboxDAO would like to conduct an end-to-end audit of the updated smart contracts. This audit will help minimize the risk of future smart contract exploits and increase the security and reliability of the system.
After review and negotiation with multiple potential providers, we have identified CertiK and PeckShield as a potential provider.
Certik is a known provider in the space and has previously conducted audits for projects such as Polygon, Bancor, Terra and The Sandbox. The company has been in operation since 2017 and has raised over $150M from various backers including Lightspeed, Tiger Global, and Coatue.
PeckShield is a smaller company that has been working on multiple DeFi projects including Aave and Maker as well as protocols such as Harmony and Neo. While known less in the Western Hampshire, PeckShield is a known brand in Asia.
What is this payout for?
Security Audit for the smart contracts located in the following Git library: https://github.com/jbx-protocol/juice-contracts-v2. The targeted start date of the audit is mid-January and the projected length is between 21 - 30 days for completion of both Audits.
Payout Amount
Total: $120K
PeckShield: $66K ($12K paid upon agreement to reserve a slot). This was prepaid by Jango and requires an immediate refund of 3.15 ETH (https://etherscan.io/tx/0x2291ca5b937422cfba3491117ac5b3fd20777911aadf75bd567d27e1a28529dd)
Certik: $54K
Payout invoice
PeckShield reserve payment txn: https://etherscan.io/tx/0xfc55a16ba647423580082bfc97f8c62f711acab78aa0a85473a94c249efbdd4e
What risks, drawbacks, or cons should be considered?
Two key risks:
1. Counterparty Payment - we pay to the wrong ETH address; can be mitigated by communication only through official channels with the provider
2. Poor Performance - the Audit provider does not do a good enough job and doesn't identify potential exploits/bugs; mitigated by a secondary audit and a potential bug bounty program (bug bounty program launch proposed here: [https://www.notion.so/juicebox/1a29a07bb815419996be81f24fef19a7?v=a317549fdf6f457b98fe787e38c3d2ae&p=18cf1b7d1c8c426fa0753163f59adbc4](https://www.notion.so/juicebox/1a29a07bb815419996be81f24fef19a7?v=a317549fdf6f457b98fe787e38c3d2ae&p=18cf1b7d1c8c426fa0753163f59adbc4))