Summary
Quantstamp, Inc. proposes a Security Partnership in the form of a Retainer Agreement to the Venus protocol. This partnership will consist of ongoing security assessment services, as detailed by the terms set forth in this proposal. Under this agreement, these services are aimed at continuously enhancing the security of Venus’s codebase, ensuring sustained protection and improvement over time.
Quantstamp will provide Venus with 10 audit weeks worth of audit credits that may be used at any point during the year for auditing purposes. Each engagement in this retainer will be staffed with four (4) auditors and includes fix reviews and an in-depth review of both smart contract- and protocol-level security. The total cost is $130,000, which will be paid in four monthly installments of $32,500 in USDC from the Venus Treasury, with the first to be paid at the start of March 2024.
About Quantstamp
Quantstamp is a global leader in blockchain security, on a mission to secure the future of web3. As a global team of security professionals, Quantstamp has honed our expertise by auditing hundreds of leading projects and serving as a trusted advisor for startups, governments, NGOs, and the private sector, performing more than 700 audits and securing over $200 billion in digital asset risk from hackers to date.
Quantstamp’s technical team consists of Ph.D. graduates in computer science and mathematics with extensive industry experience. Their academic background in formal methods and information security makes them well-equipped to read and understand algorithms, making them capable of diving into mission-critical situations. With years of experience developing security analysis software and peer-reviewing papers, the team has secured mission-critical infrastructure for multiple blockchains, including Ethereum 2.0, Solana, BNB Chain, Avalanche, Cardano, and Flow, among others. Notable customers and partners include Visa, Toyota Financial, Sequoia Capital, Pantera, ParaFi, Opensea, Chainlink, and MakerDAO.
Partnership Scope
Quantstamp will provide the resources needed to perform ongoing security assessments of Venus’s codebase(s). If issues are found, Quantstamp will provide findings and options for Venus’s consideration as well as assistance to rewrite the code. Venus will be responsible for providing access to personnel, content, resources, systems, and information (including any consents, authorization, or licensing) as may be needed by Quantstamp to perform the activities under this partnership.
Each distinct engagement under this partnership will be staffed with four (4) auditors, allocated by Quantstamp for the execution of the task. Quantstamp will guarantee a minimum of two (2) returning auditors for each new engagement to maintain consistency and familiarity with Venus’s codebase. Venus is required to notify Quantstamp a minimum of ten (10) business days in advance of the desired commencement date for each audit. Quantstamp will endeavor to meet Venus’s timeline preferences; however, it must be noted that an exact start date cannot be guaranteed due to scheduling constraints and resource availability. Upon completion of each engagement, Quantstamp will provide Venus with a final report, which may be made publicly available upon Venus’s request.
Methodology
The primary goal of a security audit is to identify security vulnerabilities and concerns. It is expected that the code already reaches production-level quality, but the audit will still point out issues even if this is not the case, and recommend improvements that will lead to increasing the quality. The security audits will be conducted using the methodology presented in the following list of items below:
- Quantstamp assigns four (4) auditors, one as the lead, to conduct a security audit of the code base.
- Each auditor performs an independent, in-depth review of the code, assessing best practices, performing static analysis, and evaluating external dependencies.
- The auditors communicate with the Venus team as necessary throughout the audit process.
- The audit lead compiles the notes into an audit report, which is reviewed by the audit team before being delivered to the Venus team.
- If necessary, the audit team works with the Venus team to explain findings from the report
- If the Venus team fixes any findings from the report, the audit team repeats the whole process starting from step one (1).
Our current planned list of audit priorities can be found below. Please note that these are subject to change as we continue to coordinate priorities set by the Venus protocol team:
- Time-based contracts, needed for the deployment of Venus to Arbitrum or other networks where the block rate is not constant.
- Multichain governance, needed to allow Venus Governance to execute privilege commands on the new networks (Ethereum, opBNB, Arbitrum, Polygon zkEVM, etc.)
- wstETH oracle, needed for the deployment of the Liquid Staked ETH pool to Ethereum
- Cross-chain synchronization of the XVS voting power, taking into account the XVS staked into the vaults deployed to the different networks
- Seize of XVS rewards, allowing Venus Governance to seize XVS rewards from accounts like the BNB bridge exploiter
- VAI compatibility with Isolated pools, needed to deploy VAI to more networks
Payment and Schedule
This agreement is structured as a 1-year retainer. For the duration of this period, Venus will be allotted 10 audit weeks (400 audit hours), that may be used at any time for auditing and security services and will be billed upfront. This arrangement ensures a consistent and thorough evaluation of the security aspects of Venus’s codebase over the agreed timeframe. Audit weeks not utilized within the first year are eligible to be carried over to the following year, with an expiration date of December 31, 2025.
Quantstamp will charge $130,000 in total for the security services provided above. This will be paid in four monthly installments of $32,500 in USDC from the Venus Treasury, with the first to be paid at the start of March 2024.
Terms & Conditions
By approving this proposal and proceeding to make payment of the fees to Quantstamp, Venus agrees to the Quantstamp, Inc. Terms and Conditions.
