This is an invitation to discuss and approve the use of Tribe DAO funds and / or grants for the Codearena Security Audit for Tribe DAO product, Turbo.
The audit time has been secured and negotiated for $100k USDC on the basis of an agreed scope, but we can suggest using FEI or converting ourselves to another currency if necessary.
The review is scheduled to start this month, and it is critical for the launch of the Tribe Turbo product.
This is the first Tribe DAO product that requires an audit, and following the examples from Compound, and other protocols, it makes sense that this should be funded by the Tribe DAO.
Agreed on the aspect of the DAO paying for it. As far as the USDC, I don’t think it should be a big problem to quickly buy and then pay 100k USDC, but I think it’d be a good idea to at least shoot for a decentralized (FEI/ETH) payment option. Best to set an example against unnecessarily centralized crypto when we can.
If you check out the code4rena site, you can see what other projects paid previously for their audits.
Viewing these past examples https://code4rena.com, I think 100k is an average prize pool for decently sized codebases. Paying this amount will incentivize the best auditors and security researchers to dig into our code and try to find bugs.
To add to Elliot’s post. Even grant programs usually pay around $100k, see:
I wonder if it would make sense to pay it out of the second batch of the grants program. But it seems like everybody wants the DAO to pay for it. I am open to both options.
maybe in the not too distant future with the Liquid Representative Democracy evolution discussions, we’ll have a security-focused pod that would own these types of activities, or security could be incorporated in the respective product (Turbo) pods responsibilities
grants program should be considered for this particular action, as grants are funded by Tribe DAO, and going through a full on-chain governance process for this seems like an overkill
As part of the Fei Grants Committee, I would be happy to fund this through the Batch #2 Grants budget. This would look good on the public page of the program and send a signal to high quality applicants.
It would also allow us to move faster on this, with a snapshot to verify community sentiment.
does OA have security audits or service acquisition in its scope? - ultimately, it would be the easiest and most optimal way to do it - we are setting the stage for Tribe DAO to finance its operations moving forward, and the governance upgrades couldn’t come any sooner
having 50+ hackers get familiar and excited about Tribe Turbo (as well as Fei and Fuse) through codearena engagement seems like a good way to expand the community with quality contributors
Don’t think this should go through grants, audit should be paid in stables. Long term ideally FEI but OA timelock currently has 500k USDC (from visor withdrawal) and I’d be in favor of using that.
It might make sense bulk buying time from CodeArena if the quality is good (they offer discounts). This would be the second time using them, the first was for GFX’s code on the merge that didn’t end up being used.
It seems that we have a strong consensus to move forward with this through OA. I’m moving this into last call, and if there are no objections, I will post a snapshot tomorrow for OA to execute a payment of 100k USDC to Codearena.
Hi all, Eric here from Code4rena. Joey asked me to stop by and provide some additional info, so I’ll do my best. Happy to try to answer any other questions you might have as well.
We price our audit contests based on a few things: market audit prices (though not sourced directly from other audit firms), market demand for engineering talent in general, and market demand for audits. One of the advantages we’re proud to boast about is being able to get projects in for an audit on short notice, typically within a month or less. Our pricing drives the incentive model for our participants and contributes to high participation levels that allow us to add capacity. We’re doing that as we speak and currently getting projects in for audit contests with a week’s notice.
We also do offer better pricing for projects that pre-purchase “credits” for future contests. This comes in the form of smaller award pools compared to projects that may not return; the thinking being that the participants in the audit contests are likely to already be familiar with the code and therefore need less time/effort to review changes/additions. The minimum commitment we ask for here is $100k and generally is applied to our smaller 3-day contests, which are well-suited to smaller changes/additions.
A quick note on the form of payment. We’ve found our community has a preference toward stablecoins for the awards. We have done ETH in the past and I think if you all felt strongly about it we could probably do that again.
Thanks for the opportunity, and do let me know if you have any other questions.