Easy Track security assessment proposal

We have previously proposed Easy Track motions as a Lido governance update aimed at removing part of the operational burden from the DAO.

EasyTrack is a voting model where a motion is considered to have passed if the minimum objections threshold hasn’t been reached. With EasyTrack motions there’s no need to vote ‘pro’, token holders only have to vote ‘contra’ if they have objections. There is also no requirement to ask the broader DAO community to vote on proposals that spark no debate, making it easier to manage.

Initially, Easy Track motions will address a few specific voting types, i.e.: increasing node operators’ staking limits and allocating funds into LEGO program and multiple Lido reward programs.
Though limited to only a handful of operations, Easy Track motions will interact with critical parts of the protocol and create a potential area of attack, if not some space for development-related risks, such as bugs or overlooked vulnerabilities.
To remove those risks, the Easy Track developers utilize the best development practices and put multiple sanity checks and security mechanisms in place, including emergency braking (read more about it here).

Security assessment proposal

We consider it a good practice to submit significant features for audit to established and well-known penetration testing and security assessment providers.
We have approached Sigma Prime to perform a security assessment of Easy Track. Sigma Prime is a leading provider of Ethereum smart contract security assessments, and they have previously provided an in-depth Lido Finance Security Assessment in December 2020.
The newly proposed security assessment includes reviewing 16 Easy Track related smart contracts, and the primary deliverable of this engagement will be a report-style document listing any vulnerabilities discovered during the security review.
Sigma Prime came up with an offer to conduct the tests and perform the security assessment within four weeks starting on August 9th. The total consultancy fee will be $83,125 and involve a 5% surcharge if Lido DAO pays in crypto. Paying in crypto also implies the entire engagement fee to be paid upfront.
This pricing expects a “two-round” security review, following this sequence:

1. Sigma Prime will be given access to the components to be security reviewed.
2. Sigma Prime will perform a security review on the agreed scope.
3. Sigma Prime will provide the security review results, in confidence, to Lido DAO.
4. Lido DAO will make any amendments if required.
5. Sigma Prime will then perform a retesting of the vulnerabilities identified and update the initial security review to provide, for each vulnerability, either an indication if the issue has been fixed and comments on the fix, or a comment from Lido DAO as to why the issue does not require a fix.
6. Sigma Prime will present the final, updated security review to Lido DAO in confidence.
7. Lido DAO will be given the option to allow Sigma Prime to publish the report as-is, or for it to be kept confidential.

We want to open this thread and see if Lido DAO agrees on said terms and is okay to allocate around 45 ETH (at the time of writing) from the DAO Treasury for this purpose.

Today’s weekly “omnibus vote” will include Sigma Prime payment for the Easy Tracks audit.
We will vote for allocating $87,281.25 to pay for security assessment (includes a 5% crypto surcharge).

To avoid extra fuss with conversions and price fluctuations, we would like to transfer ETH from the DAO treasury to Lido Finance multisig wallet (2/3, owned by Victor @kadmil, Vasiliy @vsh and Nikolay @MineDeFi ), and then pay for audit in USDT or USDC as requested by Sigma Prime.

The Lido Finance multisig is a hack job for now – we’d prefer better composition but couldn’t assemble in one morning.

The vote is live: Aragon