Summary
Quantstamp, Inc. proposes a renewal of the current Security Partnership in the form of a Retainer Agreement to the Venus protocol. This partnership will consist of ongoing security assessment services, as detailed by the terms set forth in this proposal. Under this agreement, these services are aimed at continuously enhancing the security of Venus’s codebase, ensuring sustained protection and improvement over time.
Quantstamp will provide Venus with 450 hours worth of audit credits that may be used at any point during the year for auditing purposes. Each engagement in this retainer will be staffed with a minimum of two (2) auditors and includes fix reviews and an in-depth review of both smart contract- and protocol-level security. The total cost is $130,000, which will be paid in four monthly installments of $32,500 in USDT or USDC from the Venus Treasury, with the first to be paid at the start of June 2025.
About Quantstamp
Quantstamp is a global leader in blockchain security, on a mission to secure the future of web3. As a global team of security professionals, Quantstamp has honed our expertise by auditing hundreds of leading projects and serving as a trusted advisor for startups, governments, NGOs, and the private sector, performing more than 1100 audits and securing over $200 billion in digital asset risk from hackers to date.
Quantstamp’s technical team consists of Ph.D. graduates in computer science and mathematics with extensive industry experience. Their academic background in formal methods and information security makes them well-equipped to read and understand algorithms, making them capable of diving into mission-critical situations. With years of experience developing security analysis software and peer-reviewing papers, the team has secured mission-critical infrastructure for multiple blockchains, including Ethereum 2.0, Solana, BNB Chain, Avalanche, Mantle, and TON, among others. Notable customers and partners include Visa, 1inch, Ethena, Blockdaemon, Trust Wallet, and Pantera.
Partnership Scope
Quantstamp will provide the resources needed to perform ongoing security assessments of Venus’s codebase(s). If issues are found, Quantstamp will provide findings and options for Venus’s consideration as well as assistance to rewrite the code. Venus will be responsible for providing access to personnel, content, resources, systems, and information (including any consents, authorization, or licensing) as may be needed by Quantstamp to perform the activities under this partnership.
Each distinct engagement under this partnership will be staffed with three (3) auditors by default, unless a different number is specifically requested for a particular engagement. Quantstamp will guarantee a minimum of two (2) returning auditors for each new engagement to maintain consistency and familiarity with Venus’s codebase. Venus is required to notify Quantstamp a minimum of ten (10) business days in advance of the desired commencement date for each audit. Quantstamp will endeavor to meet Venus’s timeline preferences; however, it must be noted that an exact start date cannot be guaranteed due to scheduling constraints and resource availability. Upon completion of each engagement, Quantstamp will provide Venus with a final report, which may be made publicly available upon Venus’s request.
Methodology
The primary goal of a security audit is to identify security vulnerabilities and concerns. It is expected that the code already reaches production-level quality, but the audit will still point out issues even if this is not the case, and recommend improvements that will lead to increasing the quality. The security audits will be conducted using the methodology presented in the following list of items below:
- Quantstamp assigns three (3) auditors, one as the lead, to conduct a security audit of the code base.
- Each auditor performs an independent, in-depth review of the code, assessing best practices, performing static analysis, and evaluating external dependencies.
- The auditors communicate with the Venus team as necessary throughout the audit process.
- The audit lead compiles the notes into an audit report, which is reviewed by the audit team before being delivered to the Venus team.
- If necessary, the audit team works with the Venus team to explain findings from the report
- If the Venus team fixes any findings from the report, the audit team repeats the entire process starting from step one.
Our current planned list of audit priorities can be found below. Please note that these are subject to change as we continue to coordinate priorities set by the Venus protocol team:
- Cross-chain synchronization of the XVS voting power, taking into account the XVS staked into the vaults deployed to the different networks
- Governance Proposers: allow authorized accounts to propose Venus Improvement Proposals, even without the required amount of XVS delegated to them
- Flash loans: allow users without collateral to borrow assets from Venus markets, repaying them in the same transaction
- Variable Liquidation Factors: optimize the variables considered during liquidations, to reduce the impact on the liquidated accounts
Payment and Schedule
This agreement is structured as a 1-year retainer. For the duration of this period, Venus will be allotted 450 audit hours that may be used at any time for auditing and security services and will be billed upfront. This arrangement ensures a consistent and thorough evaluation of the security aspects of Venus’s codebase over the agreed timeframe. Audit hours not utilized within the first year are eligible to be carried over to the following year, with an expiration date of June 30, 2027.
Quantstamp will charge $130,000 in total for the security services provided above. This will be paid in four monthly installments of $32,500 in USDT or USDC from the Venus Treasury, with the first to be paid on June 1, 2025, and the fourth and final payment to be made on September 1, 2025.
Terms & Conditions
By approving this proposal and proceeding to make payment of the fees to Quantstamp, Venus agrees to the Quantstamp, Inc. QUANTSTAMP, INC TERMS AND CONDITIONS.
