###### tags: `Proposals` [toc] # Venus Proposal Cantina Managed ## TLDR The Venus engineering team has approached Spearbit to review [Isolated Pools](https://github.com/VenusProtocol/isolated-pools), [Staking gated yield boosting](https://github.com/VenusProtocol/venus-protocol/pull/196), [a stable rate borrow replacing the comptroller with a diamond proxy](https://github.com/VenusProtocol/venus-protocol/pull/244) and two other features yet to be decided. This proposal is a cost efficient and lower coverage alternative to a full Spearbit engagement, where a reduced security team from Spearbit is hired on the Cantina application to review the target scope. The full cost for a Cantina Managed review, targeting the code in scope and lasting for 10,5 weeks (~2.5 months) amounts to a discounted rate of $422,625. <br> ## Background This proposal is presented to the Venus community as an alternative to a full, high coverage Spearbit security review. The Venus engineering team has requested [cmichel](https://twitter.com/cmichelio) to be part of the engagement, who we shall bring onto the team as a Lead Security Reseracher. <br> ## About Cantina Managed Cantina offers security services to top tier protocols by leveraging a network of the most talented blockchain security reserchers in the crypto space. While Cantina Managed reviews are overseen by Spearbit, a full Spearbit review brings with it more extensive coverage. <br> ## Proposal We approach each and every single review with care, striving to understand the whole protocol's security posture and development lifecyle before issuing a quote. We do not count lines of code and return with a 'price', we look at your security needs and assemble the right expertise to fulfill them transparently, working with you througout the whole process from beginning to end. - **Venus Proposed Scope:** 1. Isolated Lending: [VenusProtocol/isolated-pools](https://github.com/VenusProtocol/isolated-pools). 2. Staking gated yield boosting: [VenusProtocol/venus-protocol/pull/244](https://github.com/VenusProtocol/venus-protocol/pull/196). 3. Stable rate borrow, replacing the Comptroller implementation with a Diamond Proxy: [VenusProtocol/venus-protocol/pull/244](https://github.com/VenusProtocol/venus-protocol/pull/244). 4. Tokenomics automation: *TBD*. 5. Cross chain borrow: *TBD*. - **Complexity** The complexity of this engagement is not trivial. Protocols using Compound mechanics have a track record of security incidents, for example, 2 months ago another [protocol got exploited](https://rekt.news/hundred-rekt2/) for $7.4M, Rari Capital pools [were drained](https://rekt.news/fei-rari-rekt/) for ~$80M and Venus itself has had a couple incidents before. Changing a critical component such as the comptroller for a Diamond proxy pattern is risky due to low level storage manipulations. Features regarding Cross-Chain communication are inherently complex due to its novel nature, and the probability of finding vulnerabilities is rather high. - **Cantina Managed Team composition** 1 Lead Security Researchers: [cmichel](https://twitter.com/cmichelio), 1 Security Researcher: TBD and 1 Associate Security Researcher: TBD. - **Timeframe** Tentative 10,5 weeks (~2 months) which can be adjusted based on final scope and complexity, with a 2 week free vulnerability remediation period. - **Engagement type: Retainer** In contrast to separate, individual reviews, a retainer model ensures the availability of the security team. Also, its continuity allows the team to accumulate knowledge and context regarding the codebase, increasing coverage and confidence while reducing frictions which can be introduced by changing teams, such as the time spent understanding the system. <br> - **Final Cost** Note that the Security Researcher and Associate Researcher have been Dynamically Priced under their average rate. An additional 5% discount on Spearbit's network fee has also been applied to facilitate this opportunity. All fees and rates are transparently communicated. You can learn more about them here: [Base-rates-billed-per-engineering-week](https://hackmd.io/@spearbit/rJB2dPGwq#Base-rates-billed-per-engineering-week). ![](https://hackmd.io/_uploads/S1zaJYVwh.png)
Last changed by  
cbym
151

Read more

Spearbook: Audit Process

This document is meant to serve as a guide for auditors engaging in Spearbit audits. Note that client and project team will be used interchangeably.

5/1/2024
Issue style guide

that is, check that

7/11/2023
Temas para Barcelona

independent auditors. they are incentivized

7/7/2023
Venus Proposal Spearbit Review

TLDR The Venus engineering team has approached Spearbit to review Isolated Pools, Staking gated yield boosting, a stable rate borrow replacing the comptroller with a diamond proxy and two other features yet to be decided. Based on the risk and complexity of this review as well as high demand for the reserachers with the specific skillset required to ensure a high quality coverage of the codebase, we proceed to offer a discounted quote for the amount of $664,125 for a review spanning 10,5 weeks (~2.5 months). Read Spearbit and the proposal below! Background The Venus engineering team demonstred a proactive commitment to security by approaching Spearbit with a request to perform an audit of their contracts.

6/12/2023
Read more from cbym
Published on HackMD