[MIP-25] Audit of Choice for Layer 0 Contracts

I . Introduction:

As MaiaDAO continues to prioritize the security and trustworthiness of its ecosystem, the need for a comprehensive audit of the Layer 0 integration contracts becomes paramount. This proposal presents two distinct auditing options for the community's consideration.

II . Background and Rationale:

Layer 0 contracts form the foundational layer of our ecosystem. Ensuring their security and robustness is not just a priority but a necessity. Both auditing options presented are from reputable firms, each with its unique approach to auditing. While their methodologies differ, their end goal is the same: ensuring the security of our contracts. This proposal aims to highlight these differences, allowing the community to make an informed decision. Additionally, there's potential to save treasury funds, a factor that warrants serious consideration.

III . Proposal Options Details:

Should we change the strategy for our following audit?

Yay: Guardian Audit

https://guardianaudits.com/

Start Date: End of September

Duration: 3 weeks

Downpayment: ~$35,000 (based on SLOC of 3,105)

Vulnerability Rates: Critical: $10,000

High: $5,000

Medium: $10,000

Low: Free

Advantages: Significantly cheaper downpayment.

Nay: Code4rena Audit

https://code4rena.com/

Start Date: Start of September

Duration: 1 week

Cost: $128,000

Scope: Comprehensive audit of the Layer 0 contracts.

Advantages: Earlier start date. Assuming that some of the same auditors compete, they will already be familiar with the majority of our codebase.

IV. Key Considerations:

Timeline: While Code4rena offers an earlier start, the difference in start dates between the two options is not significant. The Maian Gods can utilize the time before the Guardian audit for other Hermes V2 tasks that do not interfere with the audit itself.

Duration: Guardian audit takes 2 weeks longer.

Cost Implications: Code4rena has a fixed cost, while Guardian's cost is composed of a relatively low base quote and varies depending on the vulnerabilities found. Given that a significant portion of our code has already been audited, Guardian might prove meaningfully more cost-effective.

Both models incentivize the auditors to find as many vulnerabilities as possible, with their rewards being tied to the amount of vulnerabilities found.

Code4rena has a larger group of auditors with varying levels of experience and specialization

Guardian has a smaller team of highly experienced auditors

V. Community Engagement and Feedback:

We encourage community members to discuss, deliberate, and provide feedback on the two options. Your insights and perspectives are invaluable in making an informed decision.

VI . Next Steps and Decision-making Process:

Upon gathering sufficient feedback and insights, a formal vote will be initiated, allowing members to choose between the two auditing options. The development team will then proceed based on the community's choice, ensuring transparency and regular updates throughout the process.

VII . Conclusion:

The decision on which audit to pursue is a pivotal one. As we edge closer to the launch of HermesV2, ensuring the security of our contracts is paramount. This proposal provides the community with a clear choice between two reputable auditing options. Your involvement and decision are not just welcomed but essential, as it will shape the future security posture of our ecosystem.

This conversation was started on Commonwealth. Any attached images have been removed. See more discussion: here