Code 423n4 Audit - Bug Bounty

Leading up to the mainnet launch of Tracer Perpetual Swaps, we are looking to run an additional audit on the Tracer Perpetual Swaps contracts as a bug bounty. This audit would be in addition to Alpha Testing. Lion’s Mane has met with Code Arena, which offer a “community-driven approach to competitive smart contract audits”. In addition to Sigma Prime’s audit, this initiative accords with Tracer’s vision for deploying impenetrable smart contracts.

Code Arena offers an open-source public bounty contest to battle-test codebases. For the Tracer Perpetual Swaps codebase, Code Arena are requesting from Tracer DAO:

  1. $80,000 USDC (or equivalent) and 600 000 TCR tokens for the bounty award pool; and
  2. $16,000 USDC (or equivalent) and 400 000 TCR tokens for Code Arena’s efforts in connection with the bug bounty.

The timeline for Tracer Perpetual Swaps is currently as follows:

  • 22nd June - Tracer Perpetual Swaps Alpha Testing begins (Alpha Tester access only)
  • 24th June - Code Arena hosts bug bounty for 1 week (all access)
  • 30th June - Tracer Perpetual Swaps live on Arbitrum

To accord with this timeline, and depending on the success of this EOI, Lion’s Mane is prepared to incur an initial deposit of $16,000 USD (or equivalent), to be reimbursed by Tracer DAO at a later date.

Therefore, the total consideration from Tracer DAO to Code Arena will be:

  1. $96,000 USDC, in two instalments:
  2. $80,000 USDC paid to Code Arena upon a successful proposal; and
  3. $16,000 USDC paid to Lion’s Mane at a later date; and
  4. 1,000,000 TCR (600 000 TCR + 400 000 TCR).

Please share your comments on this EOI in the thread below.

4 Likes

IMO the price is pretty steep for a 1 week competition when a Trail of Bits audit is $50k.

Is there a way to increase the duration of the competition or lower the cost?

There’s also immunefi, where you can host bug bounties indefinitely(?) though I don’t know if they take a cut or an on-going service fee.

1 Like

Point taken. The amount was proposed/recommended and confirmed by Code 433n4 for the codebase specs that we provided them with.

Increasing the duration of the competition may be possible. Immunefi looks interesting, I’ll share it with my team to further scope out.

Hi all! Eric here from Code 423n4. @adam.lionsmane asked me to stop by and provide some info about our org. I appreciate the opportunity to host a contest for Tracer, and I’m happy to share a little bit about us.

If you haven’t checked out our site yet, I’d encourage you do that. We have a handful of audit reports posted there and are currently working through a backlog of contests to get more posted. Also, we recently moved our public documentation to gitbook, which can be found here: https://docs.code4rena.com/ I’m going to shamelessly crib from there some of the benefits of sponsoring a contest with us:

  • We can usually get a audit contest run within 4-6 weeks. Something we consistently hear from sponsors is that they want a quick turnaround, which we know can be hard to find. I believe I first started talking to folks from Tracer a little over a week ago and your contest is slated to start in two weeks.

  • Our incentive structure helps drive creativity, diligence, effort, and quality. The chance to earn relative to your skill and effort means more interest and creativity from wardens (what we call our security auditors).

  • Diverse perspectives: recently our contests have had around 10 wardens submit findings. One of our largest one-week contests (~$200k pot) yielded around 120 unique findings. As I’m sure you all know, coming at a problem with different skill sets, experience, and interests provides broad coverage of possible solutions.

We have an energetic community that is passionate about security in the Ethereum ecosystem. We believe our organization and model can be a valuable addition to the security already work being done in defi and with smart contracts generally. Expanding the options that projects have when it comes to security audits and testing is not only desirable, but we believe can help create a rising tide that lifts all boats.

2 Likes

I support this proposal - the TCR amount is just 0.1% of the total supply and the costs otherwise seem reasonable for such a quick audit.

@ninek - thanks for this - I see https://twitter.com/cmichelio is on top of your leaderboard and that is encouraging sign. I would be curios to know how the Tracer TCR amount was selected (noting it may be as simple as a round number based on the 40% fee)? Also does Code 423n4 propose to have a governance token at some point and would participation by the Tracer DAO in the Code Arena be the type of activity which may qualify for a distribution of such a token?

@Beepidibop I think the problem with pursuing a Trail of Bits audit is that the earliest audit from them would commence in September. In relation to Immunefi - ongoing bug bounties such those that they facilitated are incentivized differently with a payout structure on finding at any time (with payouts based on severity) - rather than a competitive period with a distributed pot like Code 423n4. It seems that the Code Arena is more like an audit - and the bug bounties are a useful tool to protect users in an ongoing fashion. We should do both imo.