Try   HackMD
tags: Proposals

Venus Proposal Cantina Managed

TLDR

The Venus engineering team has approached Spearbit to review Isolated Pools, Staking gated yield boosting, a stable rate borrow replacing the comptroller with a diamond proxy and two other features yet to be decided.

This proposal is a cost efficient and lower coverage alternative to a full Spearbit engagement, where a reduced security team from Spearbit is hired on the Cantina application to review the target scope.

The full cost for a Cantina Managed review, targeting the code in scope and lasting for 10,5 weeks (~2.5 months) amounts to a discounted rate of $422,625.


Background

This proposal is presented to the Venus community as an alternative to a full, high coverage Spearbit security review. The Venus engineering team has requested cmichel to be part of the engagement, who we shall bring onto the team as a Lead Security Reseracher.


About Cantina Managed

Cantina offers security services to top tier protocols by leveraging a network of the most talented blockchain security reserchers in the crypto space.

While Cantina Managed reviews are overseen by Spearbit, a full Spearbit review brings with it more extensive coverage.


Proposal

We approach each and every single review with care, striving to understand the whole protocol's security posture and development lifecyle before issuing a quote. We do not count lines of code and return with a 'price', we look at your security needs and assemble the right expertise to fulfill them transparently, working with you througout the whole process from beginning to end.

  • Venus Proposed Scope:
  1. Isolated Lending: VenusProtocol/isolated-pools.
  2. Staking gated yield boosting: VenusProtocol/venus-protocol/pull/244.
  3. Stable rate borrow, replacing the Comptroller implementation with a Diamond Proxy: VenusProtocol/venus-protocol/pull/244.
  4. Tokenomics automation: TBD.
  5. Cross chain borrow: TBD.

  • Complexity
    The complexity of this engagement is not trivial. Protocols using Compound mechanics have a track record of security incidents, for example, 2 months ago another protocol got exploited for $7.4M, Rari Capital pools were drained for ~$80M and Venus itself has had a couple incidents before.
    Changing a critical component such as the comptroller for a Diamond proxy pattern is risky due to low level storage manipulations.
    Features regarding Cross-Chain communication are inherently complex due to its novel nature, and the probability of finding vulnerabilities is rather high.

  • Cantina Managed Team composition
    1 Lead Security Researchers: cmichel, 1 Security Researcher: TBD and 1 Associate Security Researcher: TBD.

  • Timeframe
    Tentative 10,5 weeks (~2 months) which can be adjusted based on final scope and complexity, with a 2 week free vulnerability remediation period.

  • Engagement type: Retainer
    In contrast to separate, individual reviews, a retainer model ensures the availability of the security team. Also, its continuity allows the team to accumulate knowledge and context regarding the codebase, increasing coverage and confidence while reducing frictions which can be introduced by changing teams, such as the time spent understanding the system.


  • Final Cost
    Note that the Security Researcher and Associate Researcher have been Dynamically Priced under their average rate. An additional 5% discount on Spearbit's network fee has also been applied to facilitate this opportunity.
    All fees and rates are transparently communicated. You can learn more about them here: Base-rates-billed-per-engineering-week.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Last changed by 
cbym
0
312

Read more

Spearbook: Audit Process

This document is meant to serve as a guide for auditors engaging in Spearbit audits. Note that client and project team will be used interchangeably.

Aug 27, 2024
Issue style guide

that is, check that

Jul 11, 2023
Temas para Barcelona

independent auditors. they are incentivized

Jul 7, 2023
Venus Proposal Spearbit Review

TLDR The Venus engineering team has approached Spearbit to review Isolated Pools, Staking gated yield boosting, a stable rate borrow replacing the comptroller with a diamond proxy and two other features yet to be decided. Based on the risk and complexity of this review as well as high demand for the reserachers with the specific skillset required to ensure a high quality coverage of the codebase, we proceed to offer a discounted quote for the amount of $664,125 for a review spanning 10,5 weeks (~2.5 months). Read Spearbit and the proposal below! Background The Venus engineering team demonstred a proactive commitment to security by approaching Spearbit with a request to perform an audit of their contracts.

Jun 12, 2023
Read more from cbym
Published on HackMD