Greetings good folks on Giveth Forum,
For your kind consideration, here is our humble proposal.

NOTE: This is an updated version of the original proposal from May 13, 2022.

Proposal description

PowerInside Security Lab proposes to assist Giveth with ensuring that the smart contracts running at the core of GIVeconomy are secure from hacks.

PowerInside has already performed a successful limited pro-bono security audit for Giveth. This proposal will help expand the scope of work to those areas deemed important to Giveth, as indicated in conversations with the Giveth security team.

These are the smart contracts under consideration:

Code

Repo GitHub - Giveth/giv-token-contracts

Addresses

Ethereum mainnet

Gnosis chain

These contracts work among these entities: GIVbacks, GIVstream, GIVgarden, GIVfarm, GIVeth, RegenFarms.

Please note that in the scope of this work are TokenDistro and UnipoolTokenDistributor contracts, which are the base contracts for deploying RegenFarms.

The length of the project is about four weeks.

The outcome of the initiative will be as follows:

1. Summary of the audit report. This will be an easily understood description of the audit and its results for a wide audience. It will include a high-level narrative of found vulnerabilities with a corresponding impact level. It will also include the description of smart contracts’ compliance with the security best practices.

2. A detailed technical report that will include:

   • Review of the architecture
   • References to best smart contract coding practices
   • Description of found vulnerabilities, and how to address them
   • Recommendations for developers

3. A presentation of the report to the Giveth team

4. Subsequent consultations with our team in order to answer any questions.

5. As well, we will present a proposal for a phase II audit with an expanded scope.

@mitch has asked if we would want to assist with security for future smart contracts design for GIVpower. We are looking to build a long-term partnership with you. Let us discuss Giveth’s future needs after this engagement.

Proposal Rationale

1273×1023 239 KB

The purpose of our proposed engagement is to expand the audit and to identify further opportunities to improve Giveth security. The outcome would be to reduce chances for malicious actors to inflict financial or reputational damage to the Giveth tokenomics, its ecosystem and its participants.

In March of 2022, PowerInside team conducted a limited scope, pro-bono security audit of Giveth TRACE. The Giveth team (@griff, @brodhisattva, @geleeroyale) appreciated the quality of the report and has deemed the findings to be useful. Giveth has worked to address the reported vulnerabilities.

PowerInside and Giveth have created a Discord channel in order to share our work and findings with Giveth security folks. The work is ongoing and we have since shared some additional findings.

Team Information

PowerInside Security Lab (https://powerinside.com) has gathered a group of experienced white-hat hackers. For this project, PowerInside will bring in Decurity (https://decurity.io/) smart contract auditors to complement our team.

Funding Information

In order to complete this initiative we respectfully request a grant in GIV tokens valued at USD $40,000. (As of 12:24pm EST on May 11, 2022 USD $40,000 equates to GIV 252,844, at GIV price of $0.1582). Some of the funds will be used to remunerate our hackers and auditors for their contribution to this project. We would like to stake 25% of this sum in GIV/DAI LP on Uniswap for a minimum of three months.

PowerInside is on a mission to make DAOs secure. We see alignment with Giveth’s mission “to build a culture of giving that rewards and empowers those who give” – we want to protect DAO creators and those who give.

Ethereum mainnet address where funds shall be transferred: 0x3DDC95f26D7ED06bBF6EE1B7a73e0a96799522fb

We are glad to answer any questions about this proposal or provide additional information.

Cheers

Hey there! Great to see some professionals come in and audit our contracts, definitely something we need right now in these trying times…

What would be the output of this audit? Is it something that non-developers will be able to read and understand, giving confidence to newcomers to the platform? Do you have any interest in supporting GIV going into the future as we design our contracts for GIVpower?

I would also like if you can verify the base contract we use for deploying regen farms is secure.

Also please add to your list the GIVbacks Relayer contract
0xd0e81E3EE863318D0121501ff48C6C3e3Fd6cbc7 - Gnosis Chain

Hello folks,
@mitch, thank you for the questions and your positive feedback.

As we evaluate the suggested expansion of the scope of this work, it would be helpful to know the exact contracts you mention in the regen farms. Could you list them for us?

And yes, we will be happy to include GIVbacks Relayer contract in the scope of our audit.

Hello @Nazar and welcome to the forums!

AFAIK there is an ongoing audit of the contracts already that was performed by a third party, however @Griff is the one with more information about this initiative. While risking to spread misinformation, the audit was to be pro-bono but the initiative has stalled due to the situation in Ukraine and there was no real progress since.

Perhaps while discussing audits, it’s worth looking at an interesting crowdsourced solution: https://docs.code4rena.com/

Thank you, @paxthemax. Does anyone have more info? E.g. what contracts have been fully audited, is it possible to see the results. It could be helpful for us for our work.

Thank you, everyone, for your feedback.
We have updated the proposal and the scope of work as per some of your comments. Please review, if you could.

Hello, good folks in the community,

More than five days have passed since we published our proposal. As per the discussion during the Giveth Governance meeting on May 16, we now have moved the proposal to GIVgarden for voting. Gardens

Let us answer any questions you may have about the proposed value of this security audit to Giveth. We aim to demonstrate how we can be your security partner for the long run, whatever security challenges the winds may bring to Giveth’s shores.

Wow! This is an awesome proposal!

When you get the funds, please consider Making a second proposal to top it off… as the GIV price has gone down a lot.

Sorry for missing this forum post last week! Oleksii is reviewing the codebase but as @paxthemax said, pro bono and it has been a lower priority for him. i would love to connect you with him to coordinate :-D!

Oh Great, Thank you, @Griff,
Yes, any findings from Oleksii’s work could be helpful to consider. We could re-check his work, as well.

March 28, 2022 rekt.news: “One audit is never enough” says Revest, as they found that the [hacked] vulnerability was not picked up in the project’s audit by solidity.finance.