Proposal - Grant request for security audit of smart contracts at the core of GIVeconomy

:smiley: Greetings good folks on Giveth Forum,
For your kind consideration, here is our humble proposal.

NOTE: This is an updated version of the original proposal from May 13, 2022.

Proposal description

PowerInside Security Lab proposes to assist Giveth with ensuring that the smart contracts running at the core of GIVeconomy are secure from hacks.

PowerInside has already performed a successful limited pro-bono security audit for Giveth. This proposal will help expand the scope of work to those areas deemed important to Giveth, as indicated in conversations with the Giveth security team.

These are the smart contracts under consideration:

Code

Repo GitHub - Giveth/giv-token-contracts

Contracts Commit
All contracts except GivBacksRelayer.sol 3b30f6f3446fcd68e96b215a18f7dfbcc34e4627
GivBacksRelayer.sol 6e3a9e0b0eb6ecd52dbbcea15951a1890c6345bc

Addresses

Ethereum mainnet

Contract name Address
TokenDistro.sol 0x87de995f6744b75bbe0255a973081142adb61f4d
UnipoolTokenDistributor.sol 0x4B9EfAE862a1755F7CEcb021856D467E86976755 (GIV staking pool)
UnipoolTokenDistributor.sol 0xa4523D703F663615Bd41606B46B58dEb2F926D98 (Uniswap V2: DAI-GIV)
UnipoolTokenDistributor.sol 0xc0dbDcA66a0636236fAbe1B3C16B1bD4C84bB1E1 (Balancer WeightedPool 80GIV-20WETH)
UniswapV3RewardToken 0x3115e5aAa3D6f742d09fbB649150dfE285a9c2A3
GIV token 0x900db999074d9277c5da2a43f252d74366230da0

Gnosis chain

Contract name Address
GIVeth from Mainnet (TokenERC677.sol) 0x4f4F9b8D5B4d0Dc10506e5551B0513B61fD59e75
MerkleDistro.sol 0x930fa895cA9bB9fC7AfC3054A67C0615c8225b4B
GardenUnipoolTokenDistributor.sol 0xD93d3bDBa18ebcB3317a57119ea44ed2Cf41C2F2
TokenDistro.sol 0xc0dbDcA66a0636236fAbe1B3C16B1bD4C84bB1E1
UnipoolTokenDistributor.sol 0x4B9EfAE862a1755F7CEcb021856D467E86976755 (GIV/HNY pool token)
UnipoolTokenDistributor.sol 0xfB429010C1e9D08B7347F968a7d88f0207807EF0 (GIV/WETH pool token)
GivBacksRelayer.sol 0xd0e81E3EE863318D0121501ff48C6C3e3Fd6cbc7

These contracts work among these entities: GIVbacks, GIVstream, GIVgarden, GIVfarm, GIVeth, RegenFarms.

Please note that in the scope of this work are TokenDistro and UnipoolTokenDistributor contracts, which are the base contracts for deploying RegenFarms.

The length of the project is about four weeks.

The outcome of the initiative will be as follows:

  1. Summary of the audit report. This will be an easily understood description of the audit and its results for a wide audience. It will include a high-level narrative of found vulnerabilities with a corresponding impact level. It will also include the description of smart contracts’ compliance with the security best practices.

  2. A detailed technical report that will include:

    • Review of the architecture
    • References to best smart contract coding practices
    • Description of found vulnerabilities, and how to address them
    • Recommendations for developers
  3. A presentation of the report to the Giveth team

  4. Subsequent consultations with our team in order to answer any questions.

  5. As well, we will present a proposal for a phase II audit with an expanded scope.

@mitch has asked if we would want to assist with security for future smart contracts design for GIVpower. We are looking to build a long-term partnership with you. Let us discuss Giveth’s future needs after this engagement.

Proposal Rationale

The purpose of our proposed engagement is to expand the audit and to identify further opportunities to improve Giveth security. The outcome would be to reduce chances for malicious actors to inflict financial or reputational damage to the Giveth tokenomics, its ecosystem and its participants.

In March of 2022, PowerInside team conducted a limited scope, pro-bono security audit of Giveth TRACE. The Giveth team (@griff, @brodhisattva, @geleeroyale) appreciated the quality of the report and has deemed the findings to be useful. Giveth has worked to address the reported vulnerabilities.

PowerInside and Giveth have created a Discord channel in order to share our work and findings with Giveth security folks. The work is ongoing and we have since shared some additional findings.

Team Information

PowerInside Security Lab (https://powerinside.com) has gathered a group of experienced white-hat hackers. For this project, PowerInside will bring in Decurity (https://decurity.io/) smart contract auditors to complement our team.

Funding Information

In order to complete this initiative we respectfully request a grant in GIV tokens valued at USD $40,000. (As of 12:24pm EST on May 11, 2022 USD $40,000 equates to GIV 252,844, at GIV price of $0.1582). Some of the funds will be used to remunerate our hackers and auditors for their contribution to this project. We would like to stake 25% of this sum in GIV/DAI LP on Uniswap for a minimum of three months.

PowerInside is on a mission to make DAOs secure. We see alignment with Giveth’s mission “to build a culture of giving that rewards and empowers those who give” – we want to protect DAO creators and those who give.

Ethereum mainnet address where funds shall be transferred: 0x3DDC95f26D7ED06bBF6EE1B7a73e0a96799522fb

We are glad to answer any questions about this proposal or provide additional information.

Cheers :smiley:

4 Likes

Hey there! Great to see some professionals come in and audit our contracts, definitely something we need right now in these trying times…

What would be the output of this audit? Is it something that non-developers will be able to read and understand, giving confidence to newcomers to the platform? Do you have any interest in supporting GIV going into the future as we design our contracts for GIVpower?

I would also like if you can verify the base contract we use for deploying regen farms is secure.

Also please add to your list the GIVbacks Relayer contract
0xd0e81E3EE863318D0121501ff48C6C3e3Fd6cbc7 - Gnosis Chain

3 Likes

Hello folks,
@mitch, thank you for the questions and your positive feedback.

As we evaluate the suggested expansion of the scope of this work, it would be helpful to know the exact contracts you mention in the regen farms. Could you list them for us?

:handshake: And yes, we will be happy to include GIVbacks Relayer contract in the scope of our audit. :handshake:

2 Likes

Hello @Nazar and welcome to the forums!

AFAIK there is an ongoing audit of the contracts already that was performed by a third party, however @Griff is the one with more information about this initiative. While risking to spread misinformation, the audit was to be pro-bono but the initiative has stalled due to the situation in Ukraine and there was no real progress since.

Perhaps while discussing audits, it’s worth looking at an interesting crowdsourced solution: https://docs.code4rena.com/

1 Like

Thank you, @paxthemax. Does anyone have more info? E.g. what contracts have been fully audited, is it possible to see the results. It could be helpful for us for our work.

1 Like

Thank you, everyone, for your feedback. :handshake:
We have updated the proposal and the scope of work as per some of your comments. Please review, if you could. :eye:

2 Likes

:wave: Hello, good folks in the community, :wave:

More than five days have passed since we published our proposal. As per the discussion during the Giveth Governance meeting on May 16, we now have moved the proposal to GIVgarden for voting. Gardens

Let us answer any questions you may have about the proposed value of this security audit to Giveth. We aim to demonstrate how we can be your security partner for the long run, whatever security challenges the winds may bring to Giveth’s shores.

:purple_heart:

2 Likes

Wow! This is an awesome proposal!

When you get the funds, please consider Making a second proposal to top it off… as the GIV price has gone down a lot.

2 Likes

Sorry for missing this forum post last week! Oleksii is reviewing the codebase but as @paxthemax said, pro bono and it has been a lower priority for him. i would love to connect you with him to coordinate :-D!

1 Like

Oh Great, Thank you, @Griff,
Yes, any findings from Oleksii’s work could be helpful to consider. We could re-check his work, as well.

March 28, 2022 rekt.news: “One audit is never enough” says Revest, as they found that the [hacked] vulnerability was not picked up in the project’s audit by solidity.finance.

2 Likes