Try   HackMD
tags: Proposals

Venus Proposal Spearbit Review

TLDR

The Venus engineering team has approached Spearbit to review Isolated Pools, Staking gated yield boosting, a stable rate borrow replacing the comptroller with a diamond proxy and two other features yet to be decided.

Based on the risk and complexity of this review as well as high demand for the reserachers with the specific skillset required to ensure a high quality coverage of the codebase, we proceed to offer a discounted quote for the amount of $664,125 for a review spanning 10,5 weeks (~2.5 months).

Read Spearbit and the proposal below!


Background

The Venus engineering team demonstred a proactive commitment to security by approaching Spearbit with a request to perform an audit of their contracts.

At Spearbit we deeply care about the security posture of our clients and thrive to provide honest, transparent value by leveraging our expertise in information security and engineering proceesses.

Therefore, we are presenting this proposal for the Venus community to review, vote on, and decide whether to collaborate with Spearbit over the next couple months to examine a series of sensitive protocol integrations.


About Spearbit

Spearbit offers security services to top tier protocols by leveraging our network of the most talented blockchain security reserchers in the crypto space.

We work with, and have conducted security reviews for the most prominent firms in the industry including OpenSea, Optimism, Polygon, and many others. Our unique approach to processes and communication has enabled us to find a high amount of vulnerabilities, as well as eliciting public comments from the most respected engineers in the field working on protocols such as maple, opensea, primitive, sablier, and others!

Learn more about our public work on:


Proposal

We approach each and every single review with care, striving to understand the whole protocol's security posture and development lifecyle before issuing a quote. We do not count lines of code and return with a 'price', we look at your security needs and assemble the right expertise to fulfill them transparently, working with you througout the whole process from beginning to end.

  • Venus Proposed Scope:
  1. Isolated Lending: VenusProtocol/isolated-pools.
  2. Staking gated yield boosting: VenusProtocol/venus-protocol/pull/244.
  3. Stable rate borrow, replacing the Comptroller implementation with a Diamond Proxy: VenusProtocol/venus-protocol/pull/244.
  4. Tokenomics automation: TBD.
  5. Cross chain borrow: TBD.

  • Complexity
    The complexity of this engagement is not trivial. Protocols using Compound mechanics have a track record of security incidents, for example, 2 months ago another protocol got exploited for $7.4M, Rari Capital pools were drained for ~$80M and Venus itself has had a couple incidents before.
    Changing a critical component such as the comptroller for a Diamond proxy is a delicate process which requires thorough scrutiny.
    Features regarding Cross-Chain communication are inherently complex due to its novel nature, and the probability of finding exploitable vulnerabilities is rather high.

  • Team composition
    2 Lead Security Researchers: one of which will be cmichel as per the Venus engineering team request, 1 Security Researcher and 1 Associate Security Researcher.

  • Required skillset (must have)
    Experienced researchers with a provable track record reviewing markets, complex DeFi and Cross-Chain protocols.

  • Timeframe
    Tentative 10,5 weeks (~2 months) which can be adjusted based on final scope and complexity.
    A free vulnerability remediation period of two weeks for each sprint is included as a professional courtesy, where we help the engineering team make sure none of the changes done to fix an issue introduce bugs nor further vulnerabitlies.

  • Engagement type: Retainer
    In contrast to separate, individual reviews, a retainer model ensures the availability of the security team. Also, its continuity allows the team to accumulate knowledge and context regarding the codebase, increasing coverage and confidence while reducing frictions which can be introduced by changing teams, such as the time spent understanding the system.


  • Final Cost
    Note that the Security Researcher and Associate Researcher have been Dynamically Priced under their average rate. An additional 5% discount on Spearbit's network fee has also been applied to facilitate this opportunity.
    We have reduced the network fee and dynamically priced security researchers, saving Venus a total amount of $123,375.
    All fees and rates are transparently communicated. You can learn more about them here: Base-rates-billed-per-engineering-week.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Last changed by 
cbym
0
306

Read more

Spearbook: Audit Process

This document is meant to serve as a guide for auditors engaging in Spearbit audits. Note that client and project team will be used interchangeably.

Aug 27, 2024
Issue style guide

that is, check that

Jul 11, 2023
Temas para Barcelona

independent auditors. they are incentivized

Jul 7, 2023
Venus Proposal Cantina Managed

TLDR The Venus engineering team has approached Spearbit to review Isolated Pools, Staking gated yield boosting, a stable rate borrow replacing the comptroller with a diamond proxy and two other features yet to be decided. This proposal is a cost efficient and lower coverage alternative to a full Spearbit engagement, where a reduced security team from Spearbit is hired on the Cantina application to review the target scope. The full cost for a Cantina Managed review, targeting the code in scope and lasting for 10,5 weeks (~2.5 months) amounts to a discounted rate of $422,625. Background This proposal is presented to the Venus community as an alternative to a full, high coverage Spearbit security review. The Venus engineering team has requested cmichel to be part of the engagement, who we shall bring onto the team as a Lead Security Reseracher.

Jun 12, 2023
Read more from cbym
Published on HackMD