Compensating security assessment costs for Lido-on-X projects

Yh, I think it is a good idea

generally in favor of this but curious if the team has considered more decentralized alternatives to formal audits (e.g. pre-release community bounty bug programs or something like code4rena)?

Bug bounties are there but they are not an alternative to audits. They fill a different role. Code4rena is something we want to try but it’s not a replacement to an audit either, it’s an additional thing (though would go to the same budget).

The vote passed - we can start refunding the audits on demand:
https://snapshot.org/#/lido-snapshot.eth/proposal/0xb9e4f39f6cf7a3b375744f1cf5d6061e6db08b58334ce6f0da02f18c68e28222

So far, Shard Labs transferred 48300 USDC to Oxorio for the auditing expenses.

Transactions:
0x9f44bc8f24df0e4750c6cbc4706d6ad9e10cc29693892b2ea73f85a2cc84c4c0
0x2b444b9eb017f308a7e27e50b88cda5d6a213aaa85b5fbb960fe3c554a7288ad
0x4df087bc894a59f2ee5579f10b3e12d062b8cbfb06c6de678ba308cd65cb6548
0x1ff3827882e3f6b1968be0c4c1286c866fb12769786e589c426a086934b6c336

Forum did not allow me to post more than 2 links so I just provided tx hashes.

There is still one pending PR to be reviewed for version 1 and the new codebase for version 2 which is currently in development. Transactions for those will be posted once they are executed.

The compensation can be issued here: 0x4290db8e966a880d7Fd734884FBa93ee671984ea

2 Likes

MixBytes transferred 12,000 USDT to Dedaub as an advance for the auditing services.
Ethereum Transaction Hash (Txhash) Details | Etherscan
The compensation for MixBytes can be issued here: 0x193128E013bB56d150555833Dc2a669d07D11842
52,500 USDT is still outstanding and needs to be paid to this address: 0xF5Da01d6aFfEf5af0E326bff01b6A1c2bd93c046

First batch sent: Ethereum Transaction Hash (Txhash) Details | Etherscan

Hi all,

Chorus One commissioned and paid for two audits for the initial Lido on Solana program in Q2/3 2021:

  • $15,000 for an initial Brahma Systems audit
  • $90,000 for a thorough Neodyme audit of the initial Lido on Solana (Solido) program and all related components

In addition, the about to be released bSOL / Terra Anchor integration was audited by Neodyme again in Q1/2 2022:

  • $90,000 for Neodyme audit of Anker; the stSOL → bSOL Solana/Wormhole/Terra interaction and integration into Anchor

All audit reports can be found here.

Vendor Amount USD Date of pmt Pmt method
Bramah Systems 8,750.00 7-Jun-2021 c1-audit-pmt-proof.pdf - Google Drive
Bramah Systems 8,750.00 9-Aug-2021
Neodyme 90,000.00 28-Dec-2021
Neodyme 90,000.00 29-Mar-2022 Solscan
TOTAL 197,500.00

We would like to ask for the reimbursement to this Ethereum address:

0x3983083d7fa05f66b175f282ffd83e0d861c777a

We sent transactions to and from this address from our Lido operator address to confirm that it’s ours:

Best,
Felix

Is this not included in Lido on Solana - Proposed Transition from Chorus One to P2P 650k LDO payment for development effort?

3 Likes

It is true that this audit compensation proposal came up in parallel to our other proposal. I’m honestly not sure how this should be factored in.

Shard Labs paid an additional amount to Oxorio for auditing PR (Fix/audit 67 by idirall22 · Pull Request #69 · Shard-Labs/PoLido · GitHub) like it was mentioned in the original post (Compensating security assessment costs for Lido-on-X projects - #13 by ShardYaco)

The payout was done in two batches of 13750 USDC:
Ethereum Transaction Hash (Txhash) Details | Etherscan
Ethereum Transaction Hash (Txhash) Details | Etherscan

The compensation can be issued to the same address we used for the first part: 0x4290db8e966a880d7Fd734884FBa93ee671984ea

1 Like

Last batch of ShardLabs audit comp is sent: Ethereum Transaction Hash (Txhash) Details | Etherscan, all the audits for Lido on Polygon are compensated

1 Like

Lido on Avalanche team has sent $19,000 to Dedaub as a deposit for our audit.

https://etherscan.io/tx/0x636efa87ad74e2a1fe080d5d5a04a5ff34b3cb38d926fd2294d4527313e97b1f

Compensation can be sent to 0x1e16f01eE68599dbCc67f602366b56A572c8Ec3C

1 Like

MixBytes are requesting additional audit by Dedaub for Lido on Polkadot and Kusama.
It is agreed to be $23K with updating previous report as V2.

Payment address: 0xF5Da01d6aFfEf5af0E326bff01b6A1c2bd93c046
Preferred tokens: USDC / USDT / DAI / BUSD

2 Likes

DAI 23K has been transferred as a compensation for additional audit to MixBytes:

1 Like

Lido on Polygon V2 audits are done:

Total: 26740 USDC

Also, there were 3 payouts to immunefi hackers for vulnerabilities:

Ethereum Transaction Hash (Txhash) Details | Etherscan Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum Transaction Hash (Txhash) Details | Etherscan Ethereum Transaction Hash (Txhash) Details | Etherscan

Immunefi cost
0.36 ETH + 0.036 ETH
5000 DAI
0.56586050406853702 Ether + 0.056586050406853702 Ether

The compensation can be issued here: 0x4290db8e966a880d7Fd734884FBa93ee671984ea

2 Likes

Hi @ShardYaco,

I want to schedule a payment, but got one question - will payment in USDT or DAI be ok as well?
Thanks.

USDT, USDC and DAI are fine, thank you @Alex_L

1 Like

Hi Yaco, audit compensation transferred.

1 Like

Hey, here’s your compensation, sorry for the delay.