Draft Proposal: XIP#43 Clear budget for two protocol audits for NFTX V3

javery · June 13, 2023, 9:34am

Authors

Javery

Glossary

Summary

This proposal is intended to clear a code audit budget associated with two scheduled security reviews by Spearbit and Code Arena (C4) of NFTX V3 protocol.

Rationale

Since V2 of the NFTX protocol was launched and subsequent features have been released the team have reworked the protocol to allow for wholesale improvements across the NFTX platform.

We are projecting an increased demand in the protocol usage on the release of V3, and the existing NFTX V2 users to migrate their inventory and liquidity to the new protocol.

We have previous experience with C4 from XIP#8 Security Review and we planning to use C4 again which will follow on from the full audit secured with Spearbit.

Effect

Opportunity

By locking down our slots of running audits with Code Arena and ~~Trail of Bits~~ Spearbit we have an extra set of eyes of the new protocol which will run in isolation from the existing V2 protocol.

Risk

Bugs in the smart contracts are not found during the audits and additional capital is required through our bug bounty program.
C4 are unable to provide a quote without the completed set of contracts (due end of June), they may recommend a higher bounty than we have provisioned ($66k).

Specifications

Clear a budger for two audits with Spearbit and C4. This brings us

Multiple solitity experts will review the protocol to find vulnerabilities before deployment
Engineers that participate in the contest will become familar with our protocol, and that may make them comfortable integrating NFTX V3 into other projects they contribute towards
Some marketing from C4 as they publicise the contest
Official audit deliverables to refer to from Spearbit

Funding request - Yes

In order to fund the security review contest, we will be required to pay Spearbit $234,000 USD (two hundred thirty four thousand) and C4 $66,000 (sixty six thousand), totaling $300,000 (three hundred thousand). This amount is to cover all costs associated with both audits.

The funds are to be paid upfront to Spearbit after the vote passes, and to C4 once they confirm the contest amount.

Communication

Quorum (for Forum)

Minimum Quorum: At least 5 votes
Passing Threshold: More than 50% must vote in agreement for the XIP to Pass. For changes to the NFTX contract, more than 70% must vote in agreement for the XIP to pass.

Provide funding for two smart contract audits

Yes, approve $300k for audits
No

0 voters

javery · September 15, 2023, 3:49pm

The first audits have been completed by Spearbit however the quote for Code Arena was higher than initiall anticipated. The quote was spread across three options of

$130k
$180k
$280k

As a result the team reached out to other potential audit providers as well with Sherlock coming back as a highly recommended alternative.

The Sherlock competition provides a top Lead Senior Watson to take part in the contest as wel.

The competition starts at $137k (with 10% going to Sherlock) and it would be an audit on the entire codebase. While NFTX could run a cheaper competition, the $137k enables the contracts to take on smart contract coverage at the completion of the review. This costs a futher ~$3.3k per month to be elligible for the coverage, but provides up to $200k of critical bug payout and $2m reimbursement in the event of a hack. - see edit

We recommend taking this audit option along with at least 6 months coverage at the completion.

+  66.0 (existing budget for audits remaining)
- 137.0 (audit cost)
-  19.8 (3.3k fee for 6 months)
=  90.8k (additional USDC budget required)

With this being a new protocol it seems pragmatic to ensure that additional audits are completed and confidence that users may be covered in the event of a hack on the protocol.

Edit

The competition starts at $137k (with an additional 10%, $13.7k going to Sherlock) and it would be an audit on the entire codebase. While NFTX could run a cheaper competition, the $137k enables the contracts to take on smart contract coverage at the completion of the review. This costs a futher ~$6.6k per month to be elligible for the coverage, but provides up to $200k of critical bug payout and $2m reimbursement in the event of a hack.

+  66.0 (existing budget for audits remaining)
- 137.0 (audit cost) + 10% = 150.7k
-  19.8 (6.6k fee for 3 months) - 6.6k for 2m coverage, 3.3k for 1m coverage
=  104.5k (additional USDC budget required)

Topic		Replies	Views
Draft Proposal: XIP#13 Clear a budget for two additional protocol audits Proposals	2	2184	December 27, 2021
Draft Proposal: XIP#8 Security Review of v2 through Code Arena Proposals	1	757	April 13, 2021
XIP#31 - Hire Apoorv to lead NFTX Protocol Development Proposals	2	1565	November 30, 2022
XIP#49 - Appoint Apoorv to continue leading Protocol development Proposals	1	806	January 19, 2024
Draft Proposal: XIP#6 Grant Request: Senior Solidity Developer for Protocol Squad Proposals	3	667	March 29, 2021