Proposal #22: Runtime Verification Perpetual Pools Audit

Summary

Tracer DAO is considering engaging Runtime Verification for an audit of Tracer’s codebase. Runtime Verification provide a smart contract analysis and verification service with experience in formal modelling, analysis, safety, security, validation and verification. They have worked with "NASA, DARPA, Boeing, and Toyota, on formalizing and verifying safety and mission critical systems, and with IOHK and the Ethereum Foundation to formally model and verify not only smart contracts, but also consensus protocols, programming languages and virtual machines.

This audit will be a 7 week process, during which Runtime Verification will detail any errors found with the Tracer Perpetual Pools and vesting contracts codebase. The Mycelium team will work with Runtime Verification throughout the audit to fix any bugs and help them to navigate and understand the codebase. This initiative aligns with the Tracer Whitepaper (Tracer: Peer-to-Peer Finance), where it was set out that Tracer DAO would adhere to strict security standards in relation to its smart contracts.

If engaged by Tracer DAO, Runtime Verification will commence work on 25 October 2021. This proposal seeks to remunerate Runtime Verification for their services to Tracer DAO.


Consideration

For the provision of these services, Runtime Verification requests:

  1. 105,000 USDC immediately; and
  2. 105,000 USDC at the conclusion of the audit.

Deliverables

If Runtime Verification is engaged by Tracer DAO via proposal, it will provide the services in accordance with the points below:

  1. Provide a comprehensive security audit for the Perpetual Pools contracts; and
  2. Provide a comprehensive security audit for the DAO vesting contracts.

Variation and Termination

  1. Runtime Verification acknowledges that, if engaged, its engagement can be varied or terminated by future Proposals.
  2. Runtime Verification expects that any engagement will be terminated if they fail to deliver in accordance with the deliverables specified above.

Conflicts of Interest

In the context of the Tracer project, conflicts of interest include:

  1. Existing Service Providers who are Related Parties; and
  2. Existing (vested and unvested) holdings of TCR tokens.

Runtime Verification wishes to declare the following conflicts of interest:

  1. No conflicts of interest to declare.

Interpretation

Unless otherwise defined in this offer, all terms beginning with a capital letter that are defined in the Participation Agreement have the same meaning unless the context otherwise requires.

If this offer is accepted as a Proposal under the Participation Agreement, Runtime Verification may more formally document aspects of that Proposal.


Copyright Waiver

Copyright and related rights to this Proposal are waived pursuant to CC0.

Consensus check
  • Support Proposal → push to Snapshot
  • Oppose Proposal

0 voters

1 Like

It goes without saying that the more eyes we have on code, the better. Perfect.

However, after the Sigma Prime, code423n4 (c4) audits and the $1m ImmuneFi bug bounty, realistically what additional benefits do we believe Runtime will bring.

Is there something in particular that Tracer have tasked Runtime to review (new code)? Or will this be an additional general style audit?

Would be great to get a little more context.

FYI, I do believe security is absolutely paramount to the success of the project and the continued investment into audits sets a fantastic example for the rest of the DeFi space.

3 Likes

Great points on the scope. To provide a little more insight, the plan for the Runtime audit is to cover the following

  • Initial Perpetual Pools codebase with some additional V2 features
  • Vesting contracts found here

A lot of the value from this audit will be derived from those additional features and the vesting contracts, especially in the context of ensuring our previous codebase is still safe with additional features added on top of it.

1 Like

It will definitely a benefit to the protocol to get this audit in. The scope makes sense as does the timeline.

1 Like