###### tags: `Proposals` [toc] # Venus Proposal Spearbit Review ## TLDR The Venus engineering team has approached Spearbit to review [Isolated Pools](https://github.com/VenusProtocol/isolated-pools), [Staking gated yield boosting](https://github.com/VenusProtocol/venus-protocol/pull/196), [a stable rate borrow replacing the comptroller with a diamond proxy](https://github.com/VenusProtocol/venus-protocol/pull/244) and two other features yet to be decided. Based on the risk and complexity of this review as well as high demand for the reserachers with the specific skillset required to ensure a high quality coverage of the codebase, we proceed to offer a discounted quote for the amount of $664,125 for a review spanning 10,5 weeks (~2.5 months). Read Spearbit and the proposal below! <br> ## Background The Venus engineering team demonstred a proactive commitment to security by approaching Spearbit with a request to perform an audit of their contracts. At Spearbit we deeply care about the security posture of our clients and thrive to provide honest, transparent value by leveraging our expertise in information security and engineering proceesses. Therefore, we are presenting this proposal for the Venus community to review, vote on, and decide whether to collaborate with Spearbit over the next couple months to examine a series of sensitive protocol integrations. <br> ## About Spearbit Spearbit offers security services to top tier protocols by leveraging our network of the most talented blockchain security reserchers in the crypto space. We work with, and have conducted security reviews for the most prominent firms in the industry including OpenSea, Optimism, Polygon, and many others. Our unique approach to processes and communication has enabled us to find a [high amount of vulnerabilities](https://twitter.com/SpearbitDAO/status/1617967684989390849), as well as eliciting public comments from the most respected engineers in the field working on protocols such as *[maple](https://twitter.com/lucasmanuel_eth/status/1611211603319394304), [opensea](https://twitter.com/emo_eth/status/1626224757212581891), [primitive](https://twitter.com/alexangelj/status/1651661901527662592), [sablier](https://twitter.com/PaulRBerg/status/1646868087927455745), and others!* Learn more about our public work on: - [Spearbit's public portfolio](https://github.com/spearbit/portfolio). - [Youtube channel](https://www.youtube.com/spearbit) - [Blog posts](https://paragraph.xyz/@spearbit) and [Twitter](https://twitter.com/SpearbitDAO) <br> ## Proposal We approach each and every single review with care, striving to understand the whole protocol's security posture and development lifecyle before issuing a quote. We do not count lines of code and return with a 'price', we look at your security needs and assemble the right expertise to fulfill them transparently, working with you througout the whole process from beginning to end. - **Venus Proposed Scope:** 1. Isolated Lending: [VenusProtocol/isolated-pools](https://github.com/VenusProtocol/isolated-pools). 2. Staking gated yield boosting: [VenusProtocol/venus-protocol/pull/244](https://github.com/VenusProtocol/venus-protocol/pull/196). 3. Stable rate borrow, replacing the Comptroller implementation with a Diamond Proxy: [VenusProtocol/venus-protocol/pull/244](https://github.com/VenusProtocol/venus-protocol/pull/244). 4. Tokenomics automation: *TBD*. 5. Cross chain borrow: *TBD*. - **Complexity** The complexity of this engagement is not trivial. Protocols using Compound mechanics have a track record of security incidents, for example, 2 months ago another [protocol got exploited](https://rekt.news/hundred-rekt2/) for $7.4M, Rari Capital pools [were drained](https://rekt.news/fei-rari-rekt/) for ~$80M and Venus itself has had a couple incidents before. Changing a critical component such as the comptroller for a Diamond proxy is a delicate process which requires thorough scrutiny. Features regarding Cross-Chain communication are inherently complex due to its novel nature, and the probability of finding exploitable vulnerabilities is rather high. - **Team composition** 2 Lead Security Researchers: one of which will be [cmichel](https://twitter.com/cmichelio) as per the Venus engineering team request, 1 Security Researcher and 1 Associate Security Researcher. - **Required skillset (must have)** Experienced researchers with a provable track record reviewing markets, complex DeFi and Cross-Chain protocols. - **Timeframe** Tentative 10,5 weeks (~2 months) which can be adjusted based on final scope and complexity. A free vulnerability remediation period of two weeks for each sprint is included as a professional courtesy, where we help the engineering team make sure none of the changes done to fix an issue introduce bugs nor further vulnerabitlies. - **Engagement type: Retainer** In contrast to separate, individual reviews, a retainer model ensures the availability of the security team. Also, its continuity allows the team to accumulate knowledge and context regarding the codebase, increasing coverage and confidence while reducing frictions which can be introduced by changing teams, such as the time spent understanding the system. <br> - **Final Cost** Note that the Security Researcher and Associate Researcher have been Dynamically Priced under their average rate. An additional 5% discount on Spearbit's network fee has also been applied to facilitate this opportunity. We have reduced the network fee and dynamically priced security researchers, saving Venus a total amount of $123,375. All fees and rates are transparently communicated. You can learn more about them here: [Base-rates-billed-per-engineering-week](https://hackmd.io/@spearbit/rJB2dPGwq#Base-rates-billed-per-engineering-week).