Fund Codearena Security Audit fo Tribe DAO's Turbo

This is an invitation to discuss and approve the use of Tribe DAO funds and / or grants for the Codearena Security Audit for Tribe DAO product, Turbo.

The audit time has been secured and negotiated for $100k USDC on the basis of an agreed scope, but we can suggest using FEI or converting ourselves to another currency if necessary.

The review is scheduled to start this month, and it is critical for the launch of the Tribe Turbo product.

This is the first Tribe DAO product that requires an audit, and following the examples from Compound, and other protocols, it makes sense that this should be funded by the Tribe DAO.

8 Likes

Agreed on the aspect of the DAO paying for it. As far as the USDC, I don’t think it should be a big problem to quickly buy and then pay 100k USDC, but I think it’d be a good idea to at least shoot for a decentralized (FEI/ETH) payment option. Best to set an example against unnecessarily centralized crypto when we can.

4 Likes

Agree on Tribe DAO paying as this is a TRIBE DAO product.

In relation to the value of $100k, can we have any references to see if the price is ok comparing with market prices?

3 Likes

If you check out the code4rena site, you can see what other projects paid previously for their audits.

Viewing these past examples https://code4rena.com, I think 100k is an average prize pool for decently sized codebases. Paying this amount will incentivize the best auditors and security researchers to dig into our code and try to find bugs.

2 Likes

To add to Elliot’s post. Even grant programs usually pay around $100k, see:

I wonder if it would make sense to pay it out of the second batch of the grants program. But it seems like everybody wants the DAO to pay for it. I am open to both options.

2 Likes

maybe in the not too distant future with the Liquid Representative Democracy evolution discussions, we’ll have a security-focused pod that would own these types of activities, or security could be incorporated in the respective product (Turbo) pods responsibilities

grants program should be considered for this particular action, as grants are funded by Tribe DAO, and going through a full on-chain governance process for this seems like an overkill

2 Likes

Snapshot should be enough, OA timelock can send the FEI

As part of the Fei Grants Committee, I would be happy to fund this through the Batch #2 Grants budget. This would look good on the public page of the program and send a signal to high quality applicants.

It would also allow us to move faster on this, with a snapshot to verify community sentiment.

I would like to bring a different perspective.

Considering the $260k budget of Grants #2, $100k seems a lot to go through grants.

I think Grants budget could be directed to small and medium grants, less than $100k. From $100k+, maybe its better to go through DAO.

I see grants have the power to promote wider community engagement and contribution to the DAO.

does OA have security audits or service acquisition in its scope? - ultimately, it would be the easiest and most optimal way to do it - we are setting the stage for Tribe DAO to finance its operations moving forward, and the governance upgrades couldn’t come any sooner

having 50+ hackers get familiar and excited about Tribe Turbo (as well as Fei and Fuse) through codearena engagement seems like a good way to expand the community with quality contributors

Don’t think this should go through grants, audit should be paid in stables. Long term ideally FEI but OA timelock currently has 500k USDC (from visor withdrawal) and I’d be in favor of using that.

It might make sense bulk buying time from CodeArena if the quality is good (they offer discounts). This would be the second time using them, the first was for GFX’s code on the merge that didn’t end up being used.

It seems that we have a strong consensus to move forward with this through OA. I’m moving this into last call, and if there are no objections, I will post a snapshot tomorrow for OA to execute a payment of 100k USDC to Codearena.

6 Likes

Snapshot is live : Snapshot

2 Likes

Hi all, Eric here from Code4rena. Joey asked me to stop by and provide some additional info, so I’ll do my best. Happy to try to answer any other questions you might have as well.

We price our audit contests based on a few things: market audit prices (though not sourced directly from other audit firms), market demand for engineering talent in general, and market demand for audits. One of the advantages we’re proud to boast about is being able to get projects in for an audit on short notice, typically within a month or less. Our pricing drives the incentive model for our participants and contributes to high participation levels that allow us to add capacity. We’re doing that as we speak and currently getting projects in for audit contests with a week’s notice.

We also do offer better pricing for projects that pre-purchase “credits” for future contests. This comes in the form of smaller award pools compared to projects that may not return; the thinking being that the participants in the audit contests are likely to already be familiar with the code and therefore need less time/effort to review changes/additions. The minimum commitment we ask for here is $100k and generally is applied to our smaller 3-day contests, which are well-suited to smaller changes/additions.

A quick note on the form of payment. We’ve found our community has a preference toward stablecoins for the awards. We have done ETH in the past and I think if you all felt strongly about it we could probably do that again.

Thanks for the opportunity, and do let me know if you have any other questions.

2 Likes