Compensating security assessment costs for Lido-on-X projects

The development and acceptance process of Lido-on-X protocol (Lido on Solana, Polygon, Kusama/Polkadot) involves a pre-release security assessment. These assessments are expensive and are needed not only for the team building Lido-on-X, but for the Lido DAO as a method of acceptance test (so we could say that indeed, that version of the protocol is safe to deploy, use, promote and incentivize).

It’s never boiled down to the point of contention, but the teams are extremely cognizant of the upfront costs of assessments (before they even know if their solution will have a PMF), and are de-incentivized to go for the best quality, more expensive firms. We should not put development teams in a situation where they have a conflict of interests on getting the best security practices.

My proposal here is for Lido at large, acting through LEGO, to bear all the costs of final security assessments of the Lido-on-X protocols, limited to two assessments with reputable firms per upgrade. With LEGO council in charge of judging what is a reputable firm.

I also propose to retroactively fund the security assessments for Mixbytes(), Shard Labs, and Chorus One.

The costs of doing this are quite substantial (audits costs for a full protocol are anywhere between $30k to $200k, might be even more), but I gather them to be less than bug bounty costs, which are topped at $2M per bug currently.

14 Likes

For decentralized finance brands and protocols, security is of utmost importance. Lido should take pre-release security assessments as seriously as they possibly can be taken to protect against possible financial black swan events and damage to its brand. If the means to be able to spend incrementally more on greater prudence and higher quality security are available, and these processes have been screened properly by contributors, they should be taken.

I am in support of this proposal.

5 Likes

I do reckon the significance of pre-release security assessment and agree with the proposal. For one Lido-on-X, the project should not be released once only and it will be released with version upgrade in multi times with bug fixing and function updating. I think for every big release, a security assessment is necessary. How will the fee be covered?

A couple of thoughts from our side. We are a security audits provider ourselves so we speak from experience:

  • On a proposal, stage teams have no way to estimate audit costs and book slots with the auditing teams. Currently, this presents a huge blocker and a serious possible financial risk because even if you deliver on your proposed code you might not be able to book good auditors. If this risk is somewhat mitigated, Lido will attract a lot more teams to its ecosystem, especially those that are on the smaller/younger side.
  • Totally agree with the point about audits being much more capital effective than bug bounty. If our clients paid $2M for every critical we find during audits, a portion of them would be bankrupt at this point for sure))
3 Likes

I can speak from our experience working on Lido for Polygon:
We take security very seriously since these products are impacting users and underlying network stability and decentralisation.
For that reason, we made a decision to do the re-audit and delay the launch for ~1 month. Audit put a significant extra cost on Lido for Polygon development.
Also, since it delayed the launch, the time where we expect to start earning from the project was also delayed.
That being said, Shard Labs fully supports this proposal and we think it will benefit the expansion of Lido ecosystem in the long term.

3 Likes

A snapshot vote on this will start today:
https://snapshot.org/#/lido-snapshot.eth/proposal/0xb9e4f39f6cf7a3b375744f1cf5d6061e6db08b58334ce6f0da02f18c68e28222

2 Likes

I completely support this proposal as well based on the points outlined by the team. The only question I’d ask the team is whether the LEGO grants program budget should be expanded (which I would also strongly support). My understanding is that the established budget allocates 240K LDO per quarter across all LEGO grants (https://lego.lido.fi/). I don’t know what the expectations are in terms of volume of security assessments but if the entire budget is just over $400k per quarter at current price levels and these audits can reach up to $200K in cost then I’d think the team would want to create some add’l room in the budget for other LEGO grants.

2 Likes

The LEGO budget can be extended with a governance vote if needed, so if it’s dried up with security assessments and/or bug bounty payouts, we will be able to ask for a top-up.
But it’s a good idea to pre-extended it for the next period, thanks.

4 Likes

Yh, I think it is a good idea

generally in favor of this but curious if the team has considered more decentralized alternatives to formal audits (e.g. pre-release community bounty bug programs or something like code4rena)?

Bug bounties are there but they are not an alternative to audits. They fill a different role. Code4rena is something we want to try but it’s not a replacement to an audit either, it’s an additional thing (though would go to the same budget).

The vote passed - we can start refunding the audits on demand:
https://snapshot.org/#/lido-snapshot.eth/proposal/0xb9e4f39f6cf7a3b375744f1cf5d6061e6db08b58334ce6f0da02f18c68e28222

So far, Shard Labs transferred 48300 USDC to Oxorio for the auditing expenses.

Transactions:
0x9f44bc8f24df0e4750c6cbc4706d6ad9e10cc29693892b2ea73f85a2cc84c4c0
0x2b444b9eb017f308a7e27e50b88cda5d6a213aaa85b5fbb960fe3c554a7288ad
0x4df087bc894a59f2ee5579f10b3e12d062b8cbfb06c6de678ba308cd65cb6548
0x1ff3827882e3f6b1968be0c4c1286c866fb12769786e589c426a086934b6c336

Forum did not allow me to post more than 2 links so I just provided tx hashes.

There is still one pending PR to be reviewed for version 1 and the new codebase for version 2 which is currently in development. Transactions for those will be posted once they are executed.

The compensation can be issued here: 0x4290db8e966a880d7Fd734884FBa93ee671984ea

2 Likes

MixBytes transferred 12,000 USDT to Dedaub as an advance for the auditing services.
Ethereum Transaction Hash (Txhash) Details | Etherscan
The compensation for MixBytes can be issued here: 0x193128E013bB56d150555833Dc2a669d07D11842
52,500 USDT is still outstanding and needs to be paid to this address: 0xF5Da01d6aFfEf5af0E326bff01b6A1c2bd93c046

First batch sent: Ethereum Transaction Hash (Txhash) Details | Etherscan

Hi all,

Chorus One commissioned and paid for two audits for the initial Lido on Solana program in Q2/3 2021:

  • $15,000 for an initial Brahma Systems audit
  • $90,000 for a thorough Neodyme audit of the initial Lido on Solana (Solido) program and all related components

In addition, the about to be released bSOL / Terra Anchor integration was audited by Neodyme again in Q1/2 2022:

  • $90,000 for Neodyme audit of Anker; the stSOL → bSOL Solana/Wormhole/Terra interaction and integration into Anchor

All audit reports can be found here.

Vendor Amount USD Date of pmt Pmt method
Bramah Systems 8,750.00 7-Jun-2021 c1-audit-pmt-proof.pdf - Google Drive
Bramah Systems 8,750.00 9-Aug-2021
Neodyme 90,000.00 28-Dec-2021
Neodyme 90,000.00 29-Mar-2022 Solscan
TOTAL 197,500.00

We would like to ask for the reimbursement to this Ethereum address:

0x3983083d7fa05f66b175f282ffd83e0d861c777a

We sent transactions to and from this address from our Lido operator address to confirm that it’s ours:

Best,
Felix

Is this not included in Lido on Solana - Proposed Transition from Chorus One to P2P 650k LDO payment for development effort?

2 Likes

It is true that this audit compensation proposal came up in parallel to our other proposal. I’m honestly not sure how this should be factored in.

Shard Labs paid an additional amount to Oxorio for auditing PR (Fix/audit 67 by idirall22 · Pull Request #69 · Shard-Labs/PoLido · GitHub) like it was mentioned in the original post (Compensating security assessment costs for Lido-on-X projects - #13 by ShardYaco)

The payout was done in two batches of 13750 USDC:
Ethereum Transaction Hash (Txhash) Details | Etherscan
Ethereum Transaction Hash (Txhash) Details | Etherscan

The compensation can be issued to the same address we used for the first part: 0x4290db8e966a880d7Fd734884FBa93ee671984ea

1 Like