Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auditing Department amendment v4 #64

Open
Dexaran opened this issue May 21, 2021 · 0 comments
Open

Auditing Department amendment v4 #64

Dexaran opened this issue May 21, 2021 · 0 comments
Labels
announcement callisto Projects that are marked with this label are related to Callisto development.

Comments

@Dexaran
Copy link
Member

Dexaran commented May 21, 2021

This amendment to the Security Auditing Department workflow is intended to establish a set of rules for accepting, approving and paying security audit requests at Callisto Network.

Motivation

Previously Callisto Team accepted any security audit requests and handled them free-of-charge by subsidizing the work of auditors from Treasury fund. Audits were processed in a continuous queue as auditors performed the tasks.

This model assumed that the audits are delivered in exchange for co-promotion and the general use case of Callisto as an independent security enhancement mechanism will boost its brand recognition and mass adoption.

The model had two main shortcomings:

  • Smart contract developers tend to use security audits as part of their marketing campaign, and they will not promote Callisto as their partner if the audit identifies critical errors that could damage the marketing of the audited project.

  • Processing a constant queue of the security audits is expensive and it may hurt the long term Callisto sustainability.

A new model of accepting audits is hereby proposed to address the flaws of the previous one and ensure a long term sustainability of Security Department.

Specification

Limited monthly free-of-charge auditing campaign

The limited free-of-charge audits can be performed in accordance with Auditing Department business model v1.

Paid security audits

Security audits not included in the list of free audits should be processed on a paid basis.

Priority Payment formula
High 500 USD + (0.5 USD per line of code)

  • High priority audits are processed before any audits in the queue, except for the highest priority audits.

  • The security audit requester can further increase the priority of an audit request by negotiating a higher payment with the security auditing manager when submitting the audit request.

We accept ETH, CLO, USDT

The payment must be sent to the address provided by the Auditing Manager in the comment thread

The payment amount will be calculated based on the exchange rate of the currency that was used for the payment (calculated at CoinMarketCap rate). The amount of payment depends on the length of the code of the auditable contract. Empty lines of code and comments can be excluded.

It is recommended to use SLOC counter to calculate the accurate amount of lines of code that require payment. The overpaid amount will be returned to the sender's address after the completion of the security audit. Highest priority audit requests are processed ahead of queue.

Security auditing fee

It is proposed to withhold a certain percentage of each audit request payment in order to fuel the sustainability of the platform.

Collected security auditing fees must be deposited to the Treasury address.

Awaiting payment deadline

Initially, audits were kept in a queue until the author abandons the audit. Now it has become obvious that all the audit requests, the period of which exceeds 2 weeks without payment, can be closed.

Audit requests that remained in "awaiting payment" status for more than 2 weeks must be closed.

Security Auditing manager workflow

Initially, the job of an audit manager was limited to comparing auditors' reports and checking their work. It has now become clear that in some circumstances the roles of the Auditor Manager can be expanded.

Security Auditing manager is allowed to participate in the audit process alongside assigned auditors. In this case he should create his own Audit Report gist as if he was an auditor and perform the review of the contract code. Since the manager sees all the auditors' reports in the process, he should only describe those findings that the other auditors failed to report.

Security Auditing manager is not obligated to participate in the auditing process.

There are two possible scenarios for rewarding Security Auditors and Auditing Manager:

  1. In case the Auditing Manager found any "medium" or higher severity issues that other auditors failed to report then these "medium" severity issues must be used in the reward calculation formula (see Auditing Department reward calculation v2). Auditing Manager is paid for the finding of this issue upon completing of the audit as if he was an active auditor.
  2. In case the Auditing Manager did not found any "medium" or higher severity issues that other auditors failed to report then the Auditing Manager is excluded from the process of reward calculation.
@Dexaran Dexaran added announcement callisto Projects that are marked with this label are related to Callisto development. labels May 21, 2021
Dexaran added a commit to EthereumCommonwealth/Auditing that referenced this issue May 25, 2021
@Dexaran
Amendment v4 updates
265826a 
Reference: EthereumCommonwealth/Roadmap#64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
announcement callisto Projects that are marked with this label are related to Callisto development.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Dexaran