Simple Summary
OpenZeppelin proposes a Security Partnership with the Venus protocol for performing security audits on retainer. As Venus’s trusted security partner, we will perform continuous security audits of Venus codebases and provide actionable feedback to help the team improve smart contract security. We offer a total of 24 weeks of security research time to be used over the next 6 months for audits as directed by the Venus protocol team, which includes fix reviews and a high-level analysis of current protocol security. The total cost is $554,400 to be paid in USDC on a quarterly schedule from the Venus treasury, starting with $277,200 at the start of Q3 2023 followed by the same amount at the start of Q4.
About OpenZeppelin
About OpenZeppelin
OpenZeppelin is a leading blockchain infrastructure security firm that performs security audits and provides developer tools for decentralized systems that power multimillion-dollar economies. OpenZeppelin has set industry standards for building secure, decentralized systems and has gained the trust of industry leaders including Coinbase, the Ethereum Foundation, Matter Labs, and the original Compound protocol. OpenZeppelin built and maintains the world’s leading Open Source library for smart contract development with more than twenty millions downloads and 200 contributors.
OpenZeppelin has already seen success in security partnerships with DAOs including Compound, which forms the backbone of the Venus Protocol codebase. We have already leveraged our existing expertise in lending protocol security to audit the SwapRouter and Oracles codebases for Venus in which we reported 25 total security issues. We see this proposal as the next step in growing our relationship with the Venus community and further improving overall security with a more continuous security model.
Partnership Offerings
Our Security partnership consists of the following.
Continuous Security Audits on Retainer
As Venus’s trusted security partner, we will do a continuous security audit of your codebases. Unlike individual audit engagements, our security researchers will be assigned to work on your project for the duration of this engagement. This provides scheduling flexibility, enhances auditor knowledge of your codebase and builds a more collaborative client-auditor relationship to produce better results. In addition to formal auditing, our team can offer security advisory on Web3 best practices to improve secure code development going forward.
We are offering a total of 24 security researchers weeks along with 12 days of fix review time to be used over the next 6 months starting on June 28th until the end of the 2023 year. Audit time will be utilized in coordination with the Venus protocol team, with a minimum of 45 days notice required for scheduling new audits. In order to effectively use the booked slots, we will need a preliminary version of the codebase 3 weeks in advance and the commit hash 1 week before the starting date. This is necessary to define the scope in advance. If by the end of the engagement Venus has remaining weeks, and Venus protocol doesn’t have anything to review, the weeks will not be rescheduled for the future, and the weeks will be deducted from the package, even if it has not been used (this term is required in order to book our time in advance).
Our currently planned list of audit priorities are listed below. Please note that these might be subject to change as we continue to coordinate priorities set by the Venus protocol team:
- New Liquidator contract
- Diamond Comptroller
- Automatic allocation of income and Prime contract
- Collecting needed tokens and Shortfall handling
System Security Analysis
OpenZeppelin will perform an overall review of your existing smart contract design, security infrastructure and processes to help improve the overall security of your currently deployed system. Upon completion we will deliver a detailed report that provides feedback on your system design, access control, and team processes with recommendations to make improvements and address potential security shortcomings. This offering is recommended as a prerequisite for other long-term engagement offerings to give our team the opportunity to understand your security needs and system architecture best and maximize the value you receive from our subsequent audits.
We are offering our System Security Analysis service without additional charge, estimated at 2 additional security researcher weeks.
Payment Structure
OpenZeppelin will charge $554,400 in total for the security services provided above. This will be paid in two quarterly installments of $277,200 in USDC from the Venus Treasury, with the first to be paid at the start of July 2023. This will follow the same format as the prior proposal payment issued through VIP-120.
Terms & Conditions
By approving this proposal and proceeding to make payment of the fees to OpenZeppelin, Venus agrees to our DAO Terms of Service.