JuiceboxDAO Town Hall July 12, 2022

# JuiceboxDAO Town Hall July 12, 2022 ## Front End Recap and Update with @Aeolian. **Aeolian**: Yeah, I just wanted to give a quick summary of what's been happening on the website and over in Peel. So I want to just go over some recent stuff that's going in, have a quick chat about ongoing infrastructure work with regard to the website, and then just quickly talk about some upcoming stuff. ### A quick overview. We don't track metrics on stuff but in a last five to six weeks we closed about 86 issues, 34 of those were bugs, we are getting rid of bugs slowly. And we closed 80 PR(Pull Request)s as well, so that's about 15 a week, which is pretty awesome. If you want to have a quick look at that and the history of what we've been working on [**this link**](https://github.com/orgs/jbx-protocol/projects/1/views/1). So yeah amongst all that stuff, some cool stuff that's going in: - V2 projects now have handles; - V2 projects can also deploy a payable address, so instead of paying through the Juicebox website, they can generate their own Ethereum address where people can pay directly; - We've got stickers on payment memos and V2 projects have full parity with V1 now, so that works out of the way. ### Some improvements: - We've had some improvements to the homepage; - We've had some improvements around the reconfiguration stuff; - We've had some simplifications to the pay model in preparation for the new NFT rewards, which is coming and really exciting; - A bunch of project creation flow simplifications as well, including a really cool new payouts UI where folks can set their payouts in a more intuitive way and that's going to be improving soon as well. Just want to shout to the Peel team there, because I feel like I'll have a velocity, it's getting really good. So thanks to all the folks. ### Quick talk on ongoing infrastructure efforts. A few folks pointed out that the site is a little bit unstable recently, unfortunately that's because of our hosting provider which is Fleek. So we've been wanting to migrate off Fleek onto a more robust solution for a while and that is happening right now. We're two thirds of the way through this effort to migrate this site from Fleek to next.js, and that gets us two really cool things that hopefully will make the site a little more stable and improve our SEO(Search Engine Optimization) a lot as well. Then also finally it will allow links to actually unfurl properly in social media and whatnot, which is great. ### Big features coming. - We've got NFT rewards which is going to be awesome. The UI is being wrapped up for that right now and that's in review. - We've got V1 token migration. This is the ability for v2 projects who have a V1 project to give their V1 token holders a path to get their V2 tokens. - We've got the veBanny coming that's also in code review at the moment. Thank you to @Jmill for crushing that effort. That's really exciting. We're always working on small improvements here in there, so if you want to check that out, there's [a link for that](https://github.com/orgs/jbx-protocol/projects/1). **nicholas**: @Aeolian, I had a question for you. The moves to Next.js, do you mean Vercel for the hosting as well or what is the actual hosting gonna be? **Aeolian**: Yeah, we plan to use Vercel although not that it really matters. But yes that is our plan. **nicholas**: For people who maybe didn't catch the unfurling thing, it means that when an image pops up with the link, the name will be of that project rather than just Juicebox generic. ## Code4rena Recap with @nicholas, @jango and @DrGorilla **nicholas**: I don't know if @jango or @Dr.Gorilla has any feedback, but basically high level the contest is over. So wardens, who are the contest participants, have submitted something on the order of 375 reports. Some of those low severity ones have many sub-reports like gas optimization ideas and little knits. So a lot of activities. @jango and @Dr.Gorilla are working through giving feedback on all those issues over the weekend, yesterday and today. I think they are well on the way to finishing that up. Then the judges at Code4rena will take into consideration the feedback that they've left on those issues and then award the US$75,000 that is dedicated to the audit contest. I think it's been very educational for us. A lot of eyes on the Docs and looking at the contracts. And as far as I know nothing major has been discovered. **jango**: Yeah, I think it's been by far the most fruitful money spending on audits and reviews, especially compared to the PeckShield and Certik audits from a few months back. There's been a lot of submissions and they touched all kinds of areas of the project, some more in scope than others. We've gone through and carefully looked at anything reported as high severity or medium severity. And there's a lot of duplicates in that big number. I think @nicholas said around 300. Currently we are sitting at about 260 that are still open a lot of which are labeled as QA and gas optimizations that I haven't yet look through. There's about nine issues that we've confirmed and looked at and we are thinking through right now. Nothing big as @nicholas said, but it's all stuff that for sure going to be made public. And if anyone wants to be part of that conversation reach out to us. We should have more updates as we actually wrap the stuff up in this coming week. I just finished reviewing to the point where "all right now we have these nine or so to look through more specifically" this morning. As of right now nothing severe to report, there likely is going to be a few steps that we'll have to synchronize between frontend, backend, frontend contract side to at least offer some terminal and controller migrations for projects that really care about a certain set of of trade-offs that have been reported. So it depends on the community and we'll have to come together and decide if we want to back just one big version of this or if you want to start to figure out how these versioning things can evolve over time. There's not much to report to the broader group here. It's just like minutiae and more in the weeds stuff. We'll try to to tuck it away from the user experience overall, so it's still pretty seamless. But if anything comes up in the next couple days, we'll make sure to communicate it properly and make sure that we have a good understood path forward. I'm pretty confident in this group to take no information and run with it like we did last month, which is a pretty gnarly adjustment from a pretty exciting feature roadmap, and hopefully we don't do anything similar to that. But it's really really absolute blessing to have a bunch of people go through a code base and write everything from typos in documentation all the way to like a very niche critiques. It's always better to do before than later, so here we are with this new information. Big shout out to all the work done to set this up into the Code4rena for creating a seemingly pretty-legit-feeling way to go about getting a community of developers to pay attention to security of various contracts. **nicholas**: Yeah, maybe for a tiny bit of context, one way to think about this process is like these people are very aware of all of the recent vulnerabilities. So a lot of the things that they've been bringing to the protocol dev's attention or things that other people will also notice. The general sense I've got from a lot of the feedback is like, we know it's not a problem in our case, but it is interesting to get dozens of people filing hundreds of these issues and just getting this perspective all at once for rewarding. Maybe even met some people who will be interested in contributing to one-off auditing extensions to the protocol, which will be super cool. Definitely introduce a lot of the Juicebox and I was talking to @jango about it a little bit earlier and he was really happy about the experience. So I think we might well do one of these again in the future if there's something similar we need out of it. So super super positive experience, I think. **jango**: Yeah, if there's ever opportunities to sponsor these things, this is where might be more money should definitely go. The more of these we can do as we publish more code, --- hey, I think our criteria isn't to publish enormous amount of contract codes, we should be very very wise and careful with anything we do choose to publish.---but if we do, it's great to pair it with a pretty consistent and reliable review and audit process. And this has felt like the best use of money thus far. Folks working on contracts are basically splitting time this week between reviewing the stuff and then working on the NFT rewards, which is a massively exciting project. I think I've talked to a lot of people around the community about it in various regards and I think everyone knows I'm super super super stoked about it and the potential there is enormous. But as we weigh it with security stuff, obviously security stuff takes precedence. So let's get this out the way, let's feel good about it, prior to adding more traction and users on our plate. **Dr.Gorilla**: My conclusion was quite similiar as @jango's. I think it was really a good use of funds and I'm quite convinced it's like a sheer fire power in terms of people looking at the code base and trying to find things with a strong academic incentive behind. It's really kind of reassuring that we have only in a way nine real things that now we want to work on on top of our findings. It's pretty cool. It's really nice experience. There's a first time I review a Code4rena, the first time I see it from behind. It's impressive. ### Discussion on safety and security disclosure **0xSTVG**: In regards to the audits, the warnings that are on the site of the protocol, would we ever take those warnings off, like "Juicebox is unaudited" and all that kind of stuff? The reason I ask is because I've been trying to onboard an organization and the reason they're going away from Juicebox is because of those warnings. I think people get the wrong impression. I tried to send them the couple of things that Juicebox have already gone through. Is that ever something that we're gonna get rid of or what do we think about that? **jango**: I'm always a fan of leading with "Juicebox is risky as fuck" and "People shouldn't use it if they aren't willing to swallow the risk exposure" and "prior to Juicebox it's badass", all these things first and foremost. It's very risky. From my point of view, we have to go a long way before I'd feel comfortable removing it, although re-wording it to be more specific and more contextual with where we currently are in the process and what risks we know to be true in which exist by design. As folks route money in, I like to assume, there's always something around the corner that we have yet to catch or fully understand, although it's a shitty assumption, but I think it's the right way to approach at least for someone in my shoes trying to look over and care for the protocol. **0xSTVG**: I agree with that. I think that there should be something, but perhaps all the things that are being done to plug those holes should be also published or publicized. We have tweeted some things out, but it would be interesting if there was maybe a link on the site that showed all the different things that the community has done to to safeguard Juicebox, and also highlighted how much money has actually gone through. I think some people just want to see it all in one page. **jango**: I think it's a great idea that goes to context to what's been going on. Definitely really really good idea. And then we can chime in with more personalized feedback, like we've spent x amount on security, let's say 300k on security, I think we should be upfront with 100k of that on formal audits felt silly or wasn't as well spent as we anticipated. I think just being as transparent with all the shit that we've got right in that works and all this shit that hasn't worked as well and we've been kind of wasteful, it offers the best perspective of safety and security to the outside world. Especially with open source stuff, there's no sense in pretending everything is clean and crispy and perfect, and it's almost more attractive to always play the balance of "hey, look we're evolving". There's pros and cons to all this stuff. **filipv**: I think in terms of short term steps, it would be good to remove the unaudited phrase from the Heads Up. I actually had similar feedback from the Gnosis team as I'm still working with and they said, "hey are your contracts unaudited?" It's just maybe be a minor reward but in general I agree. ![](https://i.imgur.com/UqWicDP.png) **Zeugh**: Especially because if you want people to be careful, and we're telling them to be careful because it's unaudited. And then they see it audited, they might think it's a hundred percent safe now. So leading them towards being careful with the fullbacks works better, I believe. **jango**: Yeah, I think ultimately the appropriate thing is to tell people to audit themselves. And if they choose not to or choose to go with the herds, that's up to them. But yeah, I agree to the @Zeugh, under no condition we should tell people this is safe. **nicholas**: We can link to the audits that have been done, I think that would be decent. I get the sense that being audited traditionally would mean having a more formal audit from a larger very well respected firm, but actually your experience seems to show that the code4rena was maybe one of the more productive things. I wonder is there a binary thing that would make you feel safe saying it is audited. **jango**: The best is just having a really careful internal team that the DAO supports and we have a good kind of process for reviewing each other's work and writing tests. The thing I point to foremost is that we have great tests and we've all reviewed and documented everything, and I think that begets code4rena campaign because everyone basically was able to make a lot of progress and understand the minutia of the protocol because of the tests and because of the documentation. All these things are attached, it's not like they all live in isolation. But for sure starts with careful writers or viewers and documenters and then I think it extends to a wider community of incentivized bounty hunters in a way. **nicholas**: I wonder if we should and if there's any interest in lining up like a [Trail of Bits](https://www.trailofbits.com/) or other consensus major audit firms for traditional audit, that's not irrelevant. **jango**: I think all the money should be spent on audits and stuff. I'd rather get more people to look at them and have more points of view than fewer. **0xSTVG**: Like what @nicholas was saying, publicizing also how much money has gone through in that one page with the links to the audits and all that kind of stuff, that to me seems to be the most compelling how much money has actually gone through and been safe. That's not something waiting but a lot of people have done a lot of things. And we should be promoting that in a one-page that we're continually auditing and checking and testing this on a day to day basis. **Felixander**: I might want to just hop in. Even if we're not going to take off the language which says this is unaudited, maybe just a little thing that says, "if you want to learn how we're trying to keep this running safely here's been our efforts that would link to all of these things". I do agree with you, the first time I looked at the docs when I got to that section, I remember thinking if people just keep reading, "Hey, this is not safe. This is not safe. This is not safe", that might deter people, particularly if you're onboarding kind of web2 people, that language is jarring. I don't know if it's a different way to present it. I think you still have to say it. I agree 100% we can't just say, "Yeah, use this. It's fine", but maybe there's a way to also show and highlight "this is all the stuff we're doing and there hasn't been a major problem or whatever yet, and it could always happen". **jango**: I agree as long as we were not kidding ourselves. It doesn't matter how much money has gone through it, everyone's configuring the project slightly differently. It depends on people's dynamics with the project owner and depends on that you have to understand the risks. The protocol exposes risks by design, you should understand those. I think our job isn't to make web2 people feel at peace. The way in which this stuff works, it's attractive to people who want to operate like this. **Zeugh**: One question. In a perspective of someone who cannot look at the code and understand if it's safe or unsafe in the extreme level, when we talk like unsafe because of the differences, are we talking about people messing up on their things or project owner doing something on the treasury, or are we talking here about actually exploits on the contract that we might not know of and someone just like drains all Juicebox projects, what level of risk we're talking here? **jango**: Specifically the latter, but the former is that I think we're assuming everyone using the protocol understands the known risks because the code is well known. Just because the code is well known doesn't mean it's seen every angle of data thrown at it, despite a really solid comprehensive test suite. I think it's safe to move forward assuming there's an attack vector that can drain a lot of funds, but it's also wise to move forward knowing that that's unlikely to be found and exploited, but it's likely to exist. So do with that information what you will. :::success :banana::banana: Context Material: - The [audits](https://info.juicebox.money/dev/resources/security-and-audits) that JuiceboxDAO has done - The [risks](https://info.juicebox.money/dev/learn/risks) in using Juicebox protocol. ::: ## ImmuneFi Update by @filipv and @nicholas Just as a reminder for folks, there's like three kinds of audit related work we've looked into and done. - the PeckShield and Certik formal audits; - the Code4rena contest style audit; - the ImmuneiFi bug bounty. The third, the ImmuneFi bug bounty, is mostly for, if someone does find an exploit, giving them an opportunity to report it and get a guaranteed payout instead of exploiting the protocol. **filipv**: Sure, so not too much in terms of updates for now. We're still working with Etherscan to get those last contracts verified before we can move forward. But thankfully we are almost there and thank you to @jango for your help on taking care of all of that. We're going to finalize that and all of the setup pretty soon and put up a landing page, and then hopefully have that up within the next week or so. But there are a lot of moving parts, it's hard to put an exact date on it. **nicholas**: Cool, and for anyone who's curious about the way ImmuneFi works, we hold the bounty rewards in the multi-sig, if somebody makes a report, we'll give ImmuneiFi 10% on top of the payout so that we don't have to send funds anywhere. It's just gonna sit in the multi-sig until someone makes a bug report. ## Nance the governance bot by @jigglyjams **jigglyjams**: Yeah. I just wanted to give a quick update. Nance has been running governance as you can see in the proposals channel. There's some other updates I've added to it recently like there was a notification about execution ending, all based on our kind of governance schedule and our calendar. In my proposal, I kind of called out two things that I see as features that Juicebox needs: - The automatic translations with deepl.com that @twodam suggested using. And I started playing around with it, which seems pretty good. - Automatic quequing of transactions was another feature that @jango was excited about. It was my interpretation of like different payouts and configurations. So those are two features I have on my radar, but we're just gonna open it up. If anyone wants to have future requests, feel free to chime in now or in the governance automation channel. ## Juicecast new episode with Lexicon Devils by @matthewbrooks and @brileigh **nicholas**: Talking of the governance and I just listened to Matthew and Brileigh's Juicecast episode. I went to the Lexicon Devil's metaverse Juice Bar base recently and saw the governor's proposals are on a screen right as you load in. I don't know if Matthew and Brieley want to say anything about the podcast episode. **brileigh**: Yeah, thanks for bringing it up. Yeah, [the podcast](https://podcasts.apple.com/us/podcast/ep-8-peacenode-and-wackozacco-from-lexicon-devils/id1623504302?i=1000569581777) was uploaded yesterday and we announced it earlier today. ![](https://i.imgur.com/v2WzANb.png) Then we have [an article](https://info.juicebox.money/blog/2022-07-14-lexicon-devils) that will be live soon to pair with it as part of this new exploration of pairing the podcast with other articles. ![](https://i.imgur.com/zDgwkB4.png) I really like the Lexicon one. I feel like I say this after every podcast episode, "this is my favorite one", but I really love this one. I felt we had a really good conversation. We covered a variety of topics about not only the various iterations of the Juice Bar, but also other builds they've done for other DAOs or NFT projects and also touched on like ideas around like game environments and that relationship to metaverse environments and how they sort of never imagined that they would be where they are today like with their friends. It was just really sweet and wholesome. So, I hope you all have a chance to listen to that when you can. **nicholas**: Yeah, I listen to it today. Definitely worth listening if you haven't got a chance yet. ## Partnership/Onboarding with @Zeugh **Zeugh**: Okay. I just put this topic up on the agenda because I've been seeing lots of activities around. I'm super happy seeing this a new moment after we've had like a little bit of a chiller pace for a bit. In my perception that we are again onboarding and talking to lots of new projects around, and the thing is that actually right now I'm not sure of all that's happening. I have the impression that we might be talking at some point to the same people or talking to someone that someone else in the DAO has good relations with or already knows from other DAO or other spaces. It might be interesting to keep it up with everybody like who we're talking to or what projects are we boarding what's going on in that sense? I don't know if it's a general interest to keep it up constantly, I would find it very interesting if we could have some way to follow up to keep an eye in all that's going on. But as I think it's something that should evolve naturally, I would just like to bring up some of the bridges on and putting it up. If anyone else is also interested in doing this, feel free to pick up the mic right after. Well if it makes sense, we might start doing it more constantly on the Town Hall or in the channels. The idea came up because I'm trying to do a big reorganization in the channels and I felt that this is one of the uses that we might be missing. Right now thinking of partnerships and onboardings, I've been talking to: - ETHSafari, some very nice guys. First big ETH event in Africa will be starting fundraising through Juicebox which is pretty exciting. - Common Ground, a Discord competitor focusing on having announcements and governance and everything integrated in a single platform, is also trying to start fundraising through Juicebox for having some hard things specifics from V2 that @jango's giving a good hand there trying to start a model a template for Regenerative Finance (ReFi) projects to raise through Juicebox. - Kernel, a fellowship program, about partnerships of integrating Juicebox for new project builders in there. - Enzyme Finance, which is a treasury management protocol too that does the part that we don't. That's getting the funds on the treasury and put them in action. I had some nice talks with them in Barcelona and gonna have one more call with them this week to see if there's other possibilities of integration or pay terminal extensions or something like this that we can work together with. Well the idea is basically bringing up some of what's going on in the talks that I'm having and to find out if anyone else wants to also share what's been happening on your side of taking Juicebox out to the world, I'd love to know. **filipv**: There's of course the aforementioned BuidlGuild and ImmuneFi and that stuff, but right now I'm also working with African American women in cinema on doing a potential fundraiser for a movie that they're trying to get done; and then working with the team at MASH who's building music NFT related platform; also working with one client who's interested in selling some fine art and is potentially interested in using Juicebox. **Steve@DAOPlanet.org**: I'll be real quick if this is BizDev talk time. Everybody knows I'm really sold on Juicebox and want to help create any opportunities possible. @Zeugh, we can connect around the ETHSafari project. I'm trying to help them navigate and understand how to expect from Juicebox. There're thoughts about using Juicebox for ticket sales, merchandise fulfillment, fundraising and governance token. so just want to explore a little bit about what's possible there and figure out how to help them raise as much money as possible through Juicebox. I've been talking to folks at [third web](thirdweb.com). I don't know if anybody knows Adam Lee from third web, but we were connected. I had a call with him. When I mentioned Juicebox and it feels like there's some really great synergies between what Juicebox already has and what third web already has. maybe somebody wants to look at this potential Biz Dev from a technical product standpoint. I do a lot of like user product management, but would be really interesting to hear what folks look at those tools and create some sort of bridge. Somebody invited me to join choiceDAO, it looks like they got a little bit stopped with their legal in raising funds and not sure what their hold-ups are in raising but figured Juicebox is the best platform to do a huge raising. **nicholas**: Also the StudioDAO, of course, the NFT rewards prototypical project using the works, just cool too. **Kentbot**: We're developing the rest of the materials, we're standing by waiting for the NFT rewards to be ready, then we'll be able to complete the rest of our flood to get the stuff going. We have also leaned in on some of the NFT designs that we need to be working on, so there'll be more to talk about on that probably next week. But we have lots good progress and appreciate everyone's effort and we're on our way. ## Bookkeeping by @gulan Yeah, just want to give update on what proposals passed and their impact. We have two different config files now that we're running two different versions of the treasury. If you want to look up any of this stuff you can go on to [the spreadsheet](https://docs.google.com/spreadsheets/d/1bRrXjNhbeTM6tSxPmzYOHDYT3_a9uu9eivw_Zauwiq4/edit?usp=sharing) and track it. ## Quizz time Two truths and one lie, guess who is this? ![](https://i.imgur.com/9XJCT72.png) The correct answer is ... $peri$ The lie is "I've been evacuated by helicopter on a ski trip." And @peri can type with one hand 51 words per minute! ## Project "Forming" of Lexicon Devils **brileigh**: I can give a brief rundown of Forming. So basically they've done all these live events in the past with musicians, and the musicians haven't always been able to be part of the community in a sense. So what they are presenting is a curated lineup of web3 musicians and they're doing like 15mins to half an hour pre-recorded performances and the musicians will be there. They've also set up a Juicebox project [*Forming*](https://juicebox.money/#/v2/p/66) in which they are gonna be using the funds in that project to pay out those web3 musicians. They've kind of said that the project is the synthesis of their experience of working at the Juicebox parcel and getting to know Juicebox and the protocol, now that they have this history and interest in music and their intention to get musicians to learn about Juicebox through the Juicebox events that they host, which will be at the Juicebox parcel. **nicholas**: Pretty cool. I heard a little preview of it at the tail end of the podcast episode and it's pretty sweet that they're using what they've learned to onboard musicians and create a new project and even fund their own kind of grants. **brileigh**: Yeah, it's like coming full circle with everything. With them coming into the space and also their name Lexicon Devils being made with the intent to onboard their normy friends into the space with familiarity. So it'll be interesting to see them continuing to do that through this Juicebox project that will hopefully get musicians exposed to the project and sort of see what the protocol enables for them. And maybe get that light bulb moment of what they can do with Juicebox for their own dreams and interests. **jango**: The NFT reward stuff is going to be pretty sweet and tied to the toolbox for artists of this nature. I think it's having more visuals on the dashboard itself, but also a distribution channel. It's gonna be game changer. If it happens in time, that would be great. Otherwise, I hope we can all help them crush this version of it and then we'll do many more with all the tools we'll build into the future. ## Others **nicholas**: I'll throw on one last plug for the [BuidlGuidl hackathon](https://info.juicebox.money/dev/hackathon/). If anyone's interested, I'll drop [the link to the Telegram](https://t.me/+3tlE2ae0475hMDcx). There's like almost 50 people building in there with a lot of cool projects. **seanmc**: Yeah, actually that's a really good segway just to plug in JokeDAO we're using it for the hackathon to do the voting on The Buidl Guidl. We're launching officially our version 2 of the site, it's on the official [jokedao.io](https://www.jokedao.io/) domain now, if you want to check that out. And it'll be used in the Buidl Guidl hackathon. So excited for that, too. ![](https://i.imgur.com/ZFcT9Tu.png) **nicholas**: @twodams also got this [juicetool.xyz](https://juicetool.xyz) alpha site up with some cool statistics on it already. There's a [link](https://juicetool.xyz) in the Town Hall chat and super awesome to see @twodam building, learning react basically or learning front end stuff in order to be unchained from Dune analytics, pretty cool. ![](https://i.imgur.com/CePvZ06.png) *** :bulb: Archives of JuiceboxDAO Town Hall can be found [here](https://hackmd.io/@zhape/jbx_town_hall_archive) ###### tags: `JuiceboxDAO Town Hall`