Authors

MixBytes & Gearbox SC initiative

Overview

MixBytes proposes that the Gearbox DAO consider entering into a Strategic Security Partnership—a format in which a security partner is embedded into your SDLC (Software Development Life Cycle) from architecture to post-release: design reviews, diff audits, pre-/post-deploy checks, and incident response.

Key advantages: one team preserves context, predictable start windows, lower total cost through reduced onboarding and earlier risk interception, and flexible scaling from 1 auditor-day to full team-days.

Billing is pay-as-you-go (T&M) with priority scheduling and a defined SLA. Designed for teams with regular releases and complex architectures, and includes custom security tasks beyond normal audits: economic model validation, network risk assessment for new deployments, role risk analysis, test development/review (unit/integration/fuzz), off-chain white-box reviews, report triage (contest/bounty/AI), DAO support, targeted security research, and any other custom security tasks agreed with the client.

About MixBytes

MixBytes is a leading provider of smart contract audit and research services, helping blockchain projects enhance security and reliability. Since its inception, MixBytes has been committed to safeguarding the Web3 ecosystem by delivering rigorous security assessments and cutting-edge research tailored to DeFi projects.

The team has a long, verifiable track record with Gearbox—from auditing the protocol’s first version in 2021 to ongoing reviews of new adapters (the full audit registry is available via link).

MixBytes is deeply familiar with Gearbox’s architecture, and combined with broad expertise and work with leading protocols — Lido, Curve, Aave, Mellow, Fluid, Euler, and others — provides a unique mix of competencies and a clear edge for the Gearbox community.

Services Included

Audit & Review

• Product review during development (audits, re-audits, diff audits, PR reviews)
• Deployment and migration verification (bytecode verification, initialization parameters checks, role checks)
• Test coverage (preparation of unit, integration, fuzzing tests)
• Off-chain service review (white-box approach)

Architecture & Integrations

• Security review / preparation of architectural design and specifications for new features, products, and integrations (pre-implementation)
• Risk assessment for deploying to new networks
• Role risk analysis — evaluating access control and permission structures

Terms & Conditions

• Monthly allocation: At the start of each month, after a short sync, specific slots are reserved for the client and prioritized over one-off audits.
• Outside the window / on-demand: Urgent work arising mid-month is placed into the earliest available slot on a best-effort basis without affecting already confirmed bookings.
• Incident SLA: • Live exploits — emergency contact, immediate war-room activation • Critical-severity bug reports (bounty platforms) — response ≤ 2 business days • High-severity bug reports (bounty platforms) — response ≤ 4 business days
• Reporting: real-time tracking in T&M format
• Team: flexible allocation — from 1 auditor-day to a 3-auditor team-day, depending on task type

Pricing

• Payment: pay-as-you-go, invoiced at month-end for actual team-days/auditor-days consumed
• Deposit: none
• **Planned monthly workload (range):**5–10 team-days, corresponding to a codebase size of 900–1,700 nSLOC or 80–150 price feeds.
• **Budget Cap:**The budget is capped at $50,000. If everything goes well and results are satisfactory, SC Initiative may initiate a new proposal for an extra $50,000 upon reaching this threshold. Note: given the planned monthly workload (5–10 days/month), this budget should cover approximately 3–4 months of work.

Execution

Contingent on the proposal’s outcome, the budget will be allocated from the financial multisig. Progress updates and budget reports will be shared in the attached Discord topic.