Alliance Review and Security Checklist

Now that the Alliance has been formally approved, we wanted to share some thoughts on the review and endorsement process.

One of the most important aspects of endorsement is about adhering to an obsessive security culture. Endorsement carries some risk for Lido, particularly with newer, untested protocols. However, the premise of the Alliance is precisely to be flexible enough to help emerging projects reach a new stage of growth. So what the endorsement process should focus on is whether the security culture of a project is sufficiently strong and whether the project has the right processes in place.

As part of the review process, we wanted to share some illustrative questions that we would look to ask projects seeking Lido Alliance endorsement. These questions aim to provide a fuller picture of the security processes of a prospective member.

• What are the processes for putting code into production?
  • What is the release flow from the security perspective?
  • How does the team decide the code is ready for mainnet?
  • Does the protocol have public audits?
    • Links:
    • What parties conducted the audits?
    • What’s the issue summary (total issues / total fixed / crits and highs / crits and highs fixed)
  • How is the deployment verified against the audit?
• What are the processes for managing security through TVL growth?
  • Is there a bug bounty? if yes — which and where
  • Are there limits / thresholds on the project / TVL? Who controls those?
  • Are there any user funds on a multisig?
  • Is the code upgradable?
    • How and who controls upgradability?
• What is the likelihood that the project will endure?
  • Is the project incorporated? How the legal structure looks like?
    • Neither of these is a blocker, it just gives a fuller picture
  • What’s the funding situation?
    • Similarly, also not a blocker
  • What is the team size?
  • Is the code open source? What’s the license?

As we work through the summary and recommendation for the first two proposals, the process and questions may shift or change to suit particularities of a given project or to strengthen the review process itself.

Hey, @steakhouse

Thank you for sharing!

I find this checklist helpful and neat because it is built upon the first principles of DYOR and is not overloaded with too-deep details and nitpicking.

My only question is whether the answers should be published and collected somewhere or included in the upcoming membership proposals directly?

At the moment those are published for the potential Alliance applicants to guide “what kind of info would be requested”. First to discussed on proposal prep stage, then — publish the relevant info

Regarding the audits: I believe having at least a couple of public audits should be a hard requirement for all applications. Also, the issue summary doesn’t provide enough information on the state of the code, so the Lido security experts should review the reports at all times.

GM @steakhouse

Do you have a proposal template that we can use to apply to join the Alliance?

Thank you

Yes, kindly send the answers to the above checklist to our forum account in DM and we can take it from there

How does the alignment collateral work? Is it compulsory?

@steakhouse I would like to send through our completed security checklist however I do not know how to send a DM to your forum account?

Please assist.

Thanks