Proposal #25: Code 423n4 (Arena) Audit - Bug Bounty #2

Summary

This proposal is for the purpose of engaging Code Arena (Code 423n4) to audit the Tracer Perpetual Pools contracts as a bug bounty. Code 423n4 offer a “community-driven approach to competitive smart contract audits”. They have also previously provided a bug bounty audit for Tracer’s Perpetual Swaps contracts as per the EOI, operations post and the reimbursement proposal. In addition to Sigma Prime’s audit, this initiative accords with Tracer’s vision for deploying impenetrable smart contracts.

The audit is running for a total period of one week starting from 6/10/21 - 2:39pm UTC time. Prior to the audit, everyone wishing to participate in the audit should join the C4 Discord channel to register their address as per the documentation here: Become a Code 423n4 Warden. View the countdown for the Tracer contest to begin here: Code 423n4. There will be a total of $30,000.00 USDC & $20,000.00 (USDC equivalent) TCR offered in the prize pool for bugs found in the Tracer Perpetual Pools contracts as per the criteria here: Judging Criteria 1.

Please share with anyone who would be interested in auditing the Tracer contracts in return for USDC.

Mycelium has already paid the required deposit of $6,000.00 USDC for the bug bounty. If successful this proposal will action to have Mycelium reimbursed by Tracer DAO in addition to funding the award pool.

Growth Fund Allocation

Included in this proposal is a $20,000.00 (USDC equivalent) TCR payment for winners of the bug bounty. As per the Tracer Growth Fund proposal, the bug bounty TCR payment sits within the remit of initiative 1 within Deliverables as a Service Provider:

  1. 80,000,000 TCR (8%) new Service Providers and contractors and employees of existing Service Providers.

Mycelium has already paid the required non-refundable deposit of $8,000.00 (USDC equivalent) TCR. An additional $20,000.00 (USDC equivalent) TCR payment is also required for the bug bounty award pool. Once the Growth Fund is live, the decision to reimburse Mycelium sits within the remit of the Growth Fund Managers. Thus, if this current proposal is successful, it will only trigger the reimbursement of $6,000.00 USDC to Mycelium in addition to $30,000.00 USDC (or equivalent) being used to fund the award pool.


Remuneration

For the provision of these services, the following remuneration package is proposed:

  1. $6,000.00 USDC (or equivalent) to reimburse Mycelium for the non-refundable deposit.
  2. $30,000.00 USDC (or equivalent) to fund the bug bounty award pool.

Deliverables

If engaged by this DAO proposal to provide the services described in this Offer to the DAO, Code 423n4 will commit to provide the following deliverables:

  1. An Audit of the core Tracer Protocol perpetual pools codebase at https://github.com/tracer-protocol/perpetual-pools-contracts

This audit will be community driven and aim to locate bugs, exploits and security concerns throughout the protocol code.


Variation and Termination

  1. Code 423n4 acknowledges that, if engaged, its engagement can be varied by future proposals.
  2. Code 423n4 expects that any engagement will be terminated if they fail to deliver in accordance with the deliverables specified above.

Conflicts of Interest

In the context of the Tracer Project, conflicts of interest include:

  1. Existing Service Providers who are Related Parties; and
  2. Existing (vested and unvested) holdings of TCR tokens.

Code 423n4 wishes to declare the following conflicts of interest:

  1. No conflicts of interest to declare.

Interpretation

Unless otherwise defined in this offer, all terms beginning with a capital letter which are defined in the Participation Agreement have the same meaning unless the context otherwise requires.

If this offer is accepted as a proposal under the Participation Agreement, Code 423n4 may more formally document aspects of that proposal.


Copyright Waiver

Copyright and related rights are waived pursuant to CC0.

Consensus check
  • Support proposal → push to Snapshot
  • Oppose proposal

0 voters

1 Like

C4 are stellar!
Absolutely support this proposal 100%
For those not familiar with c4 and their approach to Smart contract security, I highly recommend spending some time to understand their model.
The C4 security researchers, are comprised of auditors, developers, & individuals with domain expertise in the area of smart contracts. C4 comps help get more “eyes on code” which is something that traditional auditors are not able to offer in the same degree.

3 Likes

Here’s the last report on Tracer from C4. I was skeptical last time but the results speak for itself. Voting for.

2 Likes

Proposal clarification

If the Snapshot proposal is successful, the following payments will be made to ensure the bug bounty service is paid for and all accounts are balanced.

  1. $30,000.00 USDC paid to Code 423n4 (Arena)
  2. $20,000.00 (USDC equivalent) TCR to Code 423n4 (Arena)
  3. $6,000.00 USDC (or equivalent) to reimburse the Mycelium payment
  4. $8,000.00 (USDC equivalent) TCR to reimburse the Mycelium payment.