From the very start of Lido, external audits used to be one of the cornerstone quality standards for the code used in Lido products, specifically for the on-chain code. With Lido’s growing success, audit reports have eventually become an integral attribute of any significant Lido release.
However, until now there was no clear and public process around planning audits for major protocol upgrades. This results in messed-up timelines, release delays, and hectic operations around finding audit slots, posting finalized audit reports, and funding the related expenses.
We propose forming the Lido on Ethereum Audits Committee aimed at reducing the operational load of the dev team, optimizing audit pipelines, communicating with auditors and the DAO on related topics, and also increasing awareness of Lido security standards within the community.
The main goals of the Audits Committee would be:
- Secure at least two finalized audits for each significant release.
The most critical (e.g. Withdrawals-related) projects should have 3 audits on them. Rotating auditors from the partner pool and the previously not engaged ones should be considered a good practice. Not having 2nd public audit report for a major project should be a blocker for release.
- Besides the audit slots for the scheduled releases, have the ability to secure mid-sized audit slots on-demand. Consider a retainer from a reliable partner.
- Figure out and maintain a sustainable workflow to secure formal verification for critical Lido protocol parts.
- Communicate with auditor service providers, and establish long-term relationships with reliable parties.
- Secure funding from the DAO, and budget audit-related expenses based on current demand.
- Keep the community posted about the important audits secured, in order to increase the community awareness of Lido’s security standards.
- Maintain public docs hub page/website page with all the completed audits.
- Perform internal housekeeping of audit slots, their occupation, and scheduling
We propose including core contributors familiar with Lido roadmaps and short-term timelines in the Audits Committee:
- @ujenjt (core protocol workstream)
- @TheDZhon (core protocol workstream)
- @kadmil (gov-tech workstream)
- @GrStepanov (integrations workstream)
Lido is open to partnership with any existing audit service providers including community contest-based solutions.
We encourage entities to approach Lido on Ethereum Audits Committee to discuss partnership opportunities and find the best ways to keep Lido secure. Please email us at [email protected] – we will be happy to chat!