Greetings good folks on Giveth Forum,
For your kind consideration, here is our humble proposal.
NOTE: This is an updated version of the original proposal from May 13, 2022.
PowerInside Security Lab proposes to assist Giveth with ensuring that the smart contracts running at the core of GIVeconomy are secure from hacks.
PowerInside has already performed a successful limited pro-bono security audit for Giveth. This proposal will help expand the scope of work to those areas deemed important to Giveth, as indicated in conversations with the Giveth security team.
|All contracts except GivBacksRelayer.sol||3b30f6f3446fcd68e96b215a18f7dfbcc34e4627|
|UnipoolTokenDistributor.sol||0x4B9EfAE862a1755F7CEcb021856D467E86976755 (GIV staking pool)|
|UnipoolTokenDistributor.sol||0xa4523D703F663615Bd41606B46B58dEb2F926D98 (Uniswap V2: DAI-GIV)|
|UnipoolTokenDistributor.sol||0xc0dbDcA66a0636236fAbe1B3C16B1bD4C84bB1E1 (Balancer WeightedPool 80GIV-20WETH)|
|GIVeth from Mainnet (TokenERC677.sol)||0x4f4F9b8D5B4d0Dc10506e5551B0513B61fD59e75|
|UnipoolTokenDistributor.sol||0x4B9EfAE862a1755F7CEcb021856D467E86976755 (GIV/HNY pool token)|
|UnipoolTokenDistributor.sol||0xfB429010C1e9D08B7347F968a7d88f0207807EF0 (GIV/WETH pool token)|
These contracts work among these entities: GIVbacks, GIVstream, GIVgarden, GIVfarm, GIVeth, RegenFarms.
Please note that in the scope of this work are TokenDistro and UnipoolTokenDistributor contracts, which are the base contracts for deploying RegenFarms.
The length of the project is about four weeks.
The outcome of the initiative will be as follows:
Summary of the audit report. This will be an easily understood description of the audit and its results for a wide audience. It will include a high-level narrative of found vulnerabilities with a corresponding impact level. It will also include the description of smart contracts’ compliance with the security best practices.
A detailed technical report that will include:
- Review of the architecture
- References to best smart contract coding practices
- Description of found vulnerabilities, and how to address them
- Recommendations for developers
A presentation of the report to the Giveth team
Subsequent consultations with our team in order to answer any questions.
As well, we will present a proposal for a phase II audit with an expanded scope.
@mitch has asked if we would want to assist with security for future smart contracts design for GIVpower. We are looking to build a long-term partnership with you. Let us discuss Giveth’s future needs after this engagement.
The purpose of our proposed engagement is to expand the audit and to identify further opportunities to improve Giveth security. The outcome would be to reduce chances for malicious actors to inflict financial or reputational damage to the Giveth tokenomics, its ecosystem and its participants.
In March of 2022, PowerInside team conducted a limited scope, pro-bono security audit of Giveth TRACE. The Giveth team (@griff, @brodhisattva, @geleeroyale) appreciated the quality of the report and has deemed the findings to be useful. Giveth has worked to address the reported vulnerabilities.
PowerInside and Giveth have created a Discord channel in order to share our work and findings with Giveth security folks. The work is ongoing and we have since shared some additional findings.
PowerInside Security Lab (https://powerinside.com) has gathered a group of experienced white-hat hackers. For this project, PowerInside will bring in Decurity (https://decurity.io/) smart contract auditors to complement our team.
In order to complete this initiative we respectfully request a grant in GIV tokens valued at USD $40,000. (As of 12:24pm EST on May 11, 2022 USD $40,000 equates to GIV 252,844, at GIV price of $0.1582). Some of the funds will be used to remunerate our hackers and auditors for their contribution to this project. We would like to stake 25% of this sum in GIV/DAI LP on Uniswap for a minimum of three months.
PowerInside is on a mission to make DAOs secure. We see alignment with Giveth’s mission “to build a culture of giving that rewards and empowers those who give” – we want to protect DAO creators and those who give.
Ethereum mainnet address where funds shall be transferred: 0x3DDC95f26D7ED06bBF6EE1B7a73e0a96799522fb
We are glad to answer any questions about this proposal or provide additional information.