#1520 · {Vote Nay, opting PAL bounty} Audit sponsorship of micro-sr25519 package by Paul Miller (2/2)
Overview
The micro-sr25519 package developed by Paul Miller as an extension to @noble/curves to support the Polkadot ecosystem is now ready for the auditing phase. For this phase, Paul suggested to go with a new firm other than the Cure53 as most of his work is audited by Cure53. So we (Edgetributor SubDAO) explored multiple auditing firms for the last couple of weeks and selected 3 firms for the final evaluation. We then reviewed the scopes and offerings of those 3 firms based on the backgrounds of the auditing researchers they offered, their experience, stack familiarity and total number of researchers proposed in the scope, Polkadot ecosystem familiarity, low level JS/TS experience and cryptographic curves familiarity. Oak Security firm is the one which turned out to be superior compared to the other offerings in this specific case. (If anyone wants to know more about other firms or their offerings, feel free to reach us out on twitter.)
Previously approved development proposal: https://polkadot.polkassembly.io/referenda/1165
Audit TL;DR:
- Type: Premium Security Audit
- Cost per week for Audit: 44000 USD
- Cost per week for Fuzzing: 10000 USD
- Scope length: 0.6 week for audit, 0.8 week for fuzzing
- Total cost: 34400 USD
- No. of researchers involved: 5
- Requested payment mode: USDC on Ethereum
Detailed audit proposal: https://drive.google.com/file/d/1rdOtoEtgHXrJxX3lPu1khv8deEOcwKz3/view?usp=sharing
About Paul Miller
Paul is the founding developer behind @noble packages which are used by different web3 ecosystems. He is well known for his contributions via @noble/curves and @noble/hashes packages which are directly/indirectly being used by the majority of the modern web3 protocols/toolings/platforms which includes even the forum you’re currently reading this proposal on!
About Oak Security
Oak Security GmbH provides security services in the web3 space, such as threat modeling, penetration testing, security audits, and fuzz testing while following a multidisciplinary approach in their services.
Based in Munich but operating worldwide, they currently use a pool of 52 highly qualified security engineers and researchers. They operate under two brands: The Solidified brand focuses on EVM-based blockchains, while Oak Security caters to a wider blockchain ecosystem, with departments focusing on the security of Rust and Go source code, low-level protocol security, and infrastructure security, which goes beyond the realm of traditional smart contract security.
Importance
Although many of the Polkadot ecosystem tools/products already started adopting the micro-sr25519 package, Paul Miller himself advocated to get the package audited before using it in any production deployments. Currently there is an open pull request to switch from @polkadot/wasm-crypto to micro-sr25519 package in PolkadotJS suite for ecosystem-wide security and performance benefits.
Edgetributor SubDAO’s role
What started as a quest to have the development of a missing component required for our project, have come a long way to benefit the whole Polkadot ecosystem. Edgetributor SubDAO as the curator of this proposal will be representing Oak Security in OpenGov and in other operational duties. Edgetributor SubDAO will be responsible for the custody of the USDC (in a multisig) which needs to be disbursed to the Oak Security in two mentioned phases. Oak Security also requires a legal entity to sign the contract and for the same purpose Edgetributor SubDAO will utilise the legal entity of Edgeware DAO Association (Swiss Association) to save the costs and time required to involve PCF.
The entire amount corresponding to this proposal (except the refundable bridging buffer) will be going to the auditing entity Oak Security. In this whole process, Edgetributor SubDAO or Edgeware DAO or any Edgeware contributors are not getting financially benefited by any means. We are interested in exploring the BD bounty for our time and efforts contributed so far, especially for the screening of the auditing firms, comparative analysis of their offerings and follow-ups.
Budget and Timeline
Budget distribution:
- Requested amount: 34400 USDC
- Refundable bridging buffer: 100 USDC (to Swap USDC AssetHub to USDC Warmhole on Hydration and then bridge further to Oak Security’s address on Ethereum.)
Notable terms:
- 50% (17200 USDC) will be disbursed at the start of the audit.
- The other 50% (17200 USDC) will be disbursed on receipt of the initial audit report.
- The Remaining amount from the refundable bridging buffer will be sent back to the treasury.
Total: 34500 USDC
Multisig: 14XNJmoUzkvmh9cYoqG4axBRR4BWzWRbnFP79oiZgKu7V9bz
#1520 · {Vote Nay, opting PAL bounty} Audit sponsorship of micro-sr25519 package by Paul Miller (2/2)
Overview
The micro-sr25519 package developed by Paul Miller as an extension to @noble/curves to support the Polkadot ecosystem is now ready for the auditing phase. For this phase, Paul suggested to go with a new firm other than the Cure53 as most of his work is audited by Cure53. So we (Edgetributor SubDAO) explored multiple auditing firms for the last couple of weeks and selected 3 firms for the final evaluation. We then reviewed the scopes and offerings of those 3 firms based on the backgrounds of the auditing researchers they offered, their experience, stack familiarity and total number of researchers proposed in the scope, Polkadot ecosystem familiarity, low level JS/TS experience and cryptographic curves familiarity. Oak Security firm is the one which turned out to be superior compared to the other offerings in this specific case. (If anyone wants to know more about other firms or their offerings, feel free to reach us out on twitter.)
Previously approved development proposal: https://polkadot.polkassembly.io/referenda/1165
Audit TL;DR:
- Type: Premium Security Audit
- Cost per week for Audit: 44000 USD
- Cost per week for Fuzzing: 10000 USD
- Scope length: 0.6 week for audit, 0.8 week for fuzzing
- Total cost: 34400 USD
- No. of researchers involved: 5
- Requested payment mode: USDC on Ethereum
Detailed audit proposal: https://drive.google.com/file/d/1rdOtoEtgHXrJxX3lPu1khv8deEOcwKz3/view?usp=sharing
About Paul Miller
Paul is the founding developer behind @noble packages which are used by different web3 ecosystems. He is well known for his contributions via @noble/curves and @noble/hashes packages which are directly/indirectly being used by the majority of the modern web3 protocols/toolings/platforms which includes even the forum you’re currently reading this proposal on!
About Oak Security
Oak Security GmbH provides security services in the web3 space, such as threat modeling, penetration testing, security audits, and fuzz testing while following a multidisciplinary approach in their services.
Based in Munich but operating worldwide, they currently use a pool of 52 highly qualified security engineers and researchers. They operate under two brands: The Solidified brand focuses on EVM-based blockchains, while Oak Security caters to a wider blockchain ecosystem, with departments focusing on the security of Rust and Go source code, low-level protocol security, and infrastructure security, which goes beyond the realm of traditional smart contract security.
Importance
Although many of the Polkadot ecosystem tools/products already started adopting the micro-sr25519 package, Paul Miller himself advocated to get the package audited before using it in any production deployments. Currently there is an open pull request to switch from @polkadot/wasm-crypto to micro-sr25519 package in PolkadotJS suite for ecosystem-wide security and performance benefits.
Edgetributor SubDAO’s role
What started as a quest to have the development of a missing component required for our project, have come a long way to benefit the whole Polkadot ecosystem. Edgetributor SubDAO as the curator of this proposal will be representing Oak Security in OpenGov and in other operational duties. Edgetributor SubDAO will be responsible for the custody of the USDC (in a multisig) which needs to be disbursed to the Oak Security in two mentioned phases. Oak Security also requires a legal entity to sign the contract and for the same purpose Edgetributor SubDAO will utilise the legal entity of Edgeware DAO Association (Swiss Association) to save the costs and time required to involve PCF.
The entire amount corresponding to this proposal (except the refundable bridging buffer) will be going to the auditing entity Oak Security. In this whole process, Edgetributor SubDAO or Edgeware DAO or any Edgeware contributors are not getting financially benefited by any means. We are interested in exploring the BD bounty for our time and efforts contributed so far, especially for the screening of the auditing firms, comparative analysis of their offerings and follow-ups.
Budget and Timeline
Budget distribution:
- Requested amount: 34400 USDC
- Refundable bridging buffer: 100 USDC (to Swap USDC AssetHub to USDC Warmhole on Hydration and then bridge further to Oak Security’s address on Ethereum.)
Notable terms:
- 50% (17200 USDC) will be disbursed at the start of the audit.
- The other 50% (17200 USDC) will be disbursed on receipt of the initial audit report.
- The Remaining amount from the refundable bridging buffer will be sent back to the treasury.
Total: 34500 USDC
Multisig: 14XNJmoUzkvmh9cYoqG4axBRR4BWzWRbnFP79oiZgKu7V9bz
We request everyone to Nay the proposal as we most probably be opting the PAL bounty's Common-Good Functionality track:
https://x.com/TheKusamarian/status/1911313406855966981
We are already in contact with the PAL bounty, thanks to 0xTaylor for initiating the dicusssion and a channel in the dotPAL server.
We are hopeful that the necessary adjustments will be made to the 30-day DOT EMA price rule for the payout as suggested by Permanence DAO.
@14rp4CvtyN3WSftrndyNxjJFi4cGXsgrE9gFr528QSYFvPTu
Thank you, looking forward to the possibility of the adjustment in the EMA calculations.
Dear @Shankar | Edgeware DAO,
Thank you for your proposal. After initial discussion and research, we consider the Polkadot Assurance Legion (web, Twitter) bounty to be an appropriate source of funding for this proposal. We have contacted Valery (Twitter) from the bounty team for confirmation.
Therefore, our first vote on this proposal is NAY. Our impression is that the team's requirement to receive stablecoins can be addressed through necessary adjustments to the EMA calculation applied by the bounty curators.
Please feel free to contact us through the links below for further discussion.
Kind regards,
Permanence DAO
Decentralized Voices Cohort IV Delegate
📅 Book Office Hours
💬 Public Telegram
🐦 Twitter
Powered by Subsocial