• Proposal

  • OIP-98 - Olympus yearly security audit budget and recomp

Summary: Establish a yearly budget of $500,000 to be used for smart contract audits, and an additional $100,000 to reimburse Zeus for the v2 migration audit.

Background: Olympus smart contracts team is working on a number of systems, and must assure security for these systems. Audits are expensive but must be paid for, and with higher budgets, we can get better auditors for our code. This budget would be used for covering past audits with yAcademy, along with future audits with different firms, such as Spearbit, Code4rena, and others. If further funding is needed, it is to be approved by another OIP.

This OIP is also to reimburse Zeus for his payment to Omniscia of $115,000. This was detailed in the RFC https://forum.olympusdao.finance/d/1179-rfc-audit-recompensation/3.

All costs will be reported on in the quarterly report from the DAO.

Details:

  • Approve Olympus to budget $500,000 a year on security audits for smart contracts
  • Recomp Zeus for $115k for Omniscia audit

Approve budget and recomp?

This poll has ended.

    Security should have the highest budget of all DAO costs - looking forward to having great firms review upcoming code.

    Thanks for this OIP @indig0 and I agree with glue, security comes first. Flexible budget with a max yearly cap is a great idea.

    What happens to unused budget? Also, how can we track these audits and their costs? Maybe add an area in audit reporting on the transparency dash / Gitbook for the audit cost?

      I'm assuming this would come from DAO held OHM? would be nice to have that clarified in the OIP.

        Thanks for writing this up @indig0! You get what you pay for in the audit industry, so love that this is being prioritized.

        Agreed. Audit budget isn't somewhere you want to cut corners so full support for ensuring we have ongoing review of our contracts. Also, fully on board for accountability of the ongoing spend so that we can track to plan and where the funds are sourced from. As for Zeus, if he paid out of pocket then that's a no brainer and he should be made whole.

        indig0

        500k is a great starting point. I can only imagine what a singular audit can cost. Probably makes it even more so with such a large protocol. I'm a little surprised that Zeus doesn't have discretionary funds set aside for things like that? Should consider that in the future IMO. Even if it's for smaller things relating to daily running costs.

        Can't wait to see the future audits of the contracts.

        Yes to both the 500k audit budget and to reimburse Zeus 😃

          Thank you indigo, this is much needed. I vote to approve the budget and reimburse Zeus for the previous audit. Being proactive and paying for audits up front not only helps to protect our DAO, community, and treasury, but also helps to prevent higher cost expenses in the form of bug bounties on the back end. I appreciate the work you've been doing to research auditors and to make sure the contracts are secure.

          abipup

          I like this, although the funds would not be withdrawn from the DAO treasury if the budget is unused. So this is already fulfilled.

          z_33

          Yes this would come from DAO held OHM.

              I think that allocating a budget of funds to this endeavour (ongoing security audits) is worthwhile.

              What I'd like to understand is how we got to a yearly budget of $500,000. I don't see any logic, estimates from vendors or references to similar projects in order to reach our estimate of$ 500,000.

              Can someone share this with the community?

                alefort good question

                Contract audits are generally fairly expensive. Our upcoming audits (one from Spearbit and tentatively from CodeArena) are from 110k to 140k, for a total of 250k for a single large code release. This is obviously not desirable to do often, but it is necessary to have some assurance of the security of our contracts. To add on, we had a 30k$ audit for the bonds code, and are currently auditing our incurDebt contracts. As you can see, the bill quickly adds up. If we are to attempt at least 2 major release and many minor releases in a year, it is very easy to see how 500k could be used.

                I do not want to skimp on audit costs, as I think paying for quality security reviews far outweighs the risks of not having them in the case of a catastrophic exploit.

                    indig0 Thank you for this insight. This helps immensely. It would be a good practice to include this information in the poll/proposal discussion at the outset.

                    I approve of this motion.

                      Write a Reply...