Security should have the highest budget of all DAO costs - looking forward to having great firms review upcoming code.
OIP-98 - Olympus yearly security audit budget and recomp
Thanks for this OIP @indig0 and I agree with glue, security comes first. Flexible budget with a max yearly cap is a great idea.
What happens to unused budget? Also, how can we track these audits and their costs? Maybe add an area in audit reporting on the transparency dash / Gitbook for the audit cost?
I'm assuming this would come from DAO held OHM? would be nice to have that clarified in the OIP.
Agreed. Audit budget isn't somewhere you want to cut corners so full support for ensuring we have ongoing review of our contracts. Also, fully on board for accountability of the ongoing spend so that we can track to plan and where the funds are sourced from. As for Zeus, if he paid out of pocket then that's a no brainer and he should be made whole.
500k is a great starting point. I can only imagine what a singular audit can cost. Probably makes it even more so with such a large protocol. I'm a little surprised that Zeus doesn't have discretionary funds set aside for things like that? Should consider that in the future IMO. Even if it's for smaller things relating to daily running costs.
Can't wait to see the future audits of the contracts.
Yes to both the 500k audit budget and to reimburse Zeus 
Thank you indigo, this is much needed. I vote to approve the budget and reimburse Zeus for the previous audit. Being proactive and paying for audits up front not only helps to protect our DAO, community, and treasury, but also helps to prevent higher cost expenses in the form of bug bounties on the back end. I appreciate the work you've been doing to research auditors and to make sure the contracts are secure.
abipup this is something we could track on either the transparency dash or on our expense sheet in the quarterly report.
Yes.
I think that allocating a budget of funds to this endeavour (ongoing security audits) is worthwhile.
What I'd like to understand is how we got to a yearly budget of $500,000. I don't see any logic, estimates from vendors or references to similar projects in order to reach our estimate of$ 500,000.
Can someone share this with the community?
Could we make the v2 migration audit data public? Nothing is available on https://docs.olympusdao.finance/main/contracts/audits .
alefort good question
Contract audits are generally fairly expensive. Our upcoming audits (one from Spearbit and tentatively from CodeArena) are from 110k to 140k, for a total of 250k for a single large code release. This is obviously not desirable to do often, but it is necessary to have some assurance of the security of our contracts. To add on, we had a 30k$ audit for the bonds code, and are currently auditing our incurDebt contracts. As you can see, the bill quickly adds up. If we are to attempt at least 2 major release and many minor releases in a year, it is very easy to see how 500k could be used.
I do not want to skimp on audit costs, as I think paying for quality security reviews far outweighs the risks of not having them in the case of a catastrophic exploit.