Code4rena audits for new ENS code

TNL is getting close to having new versions of the following contracts ready for deployment:

  • Name wrapper
  • .eth registrar controller
  • Reverse registrar
  • Public resolver

In some instances the changes are fairly small, but in others they’re substantial. An earlier version of the name wrapper was previously audited, but it’s undergone substantial changes since then.

I’d like to get a temp check for hosting a code4rena audit competition for this bundle of contracts. It looks like typical compensation is ~$50-75k, and the turnaround times can be much faster than contracting with an audit firm.

7 Likes

I’m strongly for this. I trust auditing that’s open to anyone much more than auditing that’s done behind closed doors by an auditing firm.

How will the compensation work? If it’s for finding a serious vulnerability, I think 50-75k seems a bit on the low side?

3 Likes

The way it works is that judges rank each submitted vulnerability according to a rubric, and then the bounty gets awarded in proportion to the severity of the issues found. If there’s one critical issue found, it gets the bulk of the reward. If it’s only low-severity issues, the reward gets distributed out amongst them.

1 Like

How about the 50-75k you proposed for code4rena, and if the vulnerability found is critical the DAO could optionally award an additional 25k?

1 Like

I don’t think code4rena supports that kind of tiered reward, but we can investigate it.

1 Like

Worth a try, the more eyes we get on this the better.

2 Likes

We’ve decided to go ahead with this, but that it makes the most sense for this to be a TNL expense, as part of the engineering services we offer the DAO. We’re launching the audit with a $75k prize on the 5th.

5 Likes