The micro-sr25519 package developed by Paul Miller as an extension to @noble/curves to support the Polkadot ecosystem is now ready for the auditing phase. For this phase, Paul suggested to go with a new firm other than the Cure53 as most of his work is audited by Cure53. So we (Edgetributor SubDAO) explored multiple auditing firms for the last couple of weeks and selected 3 firms for the final evaluation. We then reviewed the scopes and offerings of those 3 firms based on the backgrounds of the auditing researchers they offered, their experience, stack familiarity and total number of researchers proposed in the scope, Polkadot ecosystem familiarity, low level JS/TS experience and cryptographic curves familiarity. Oak Security firm is the one which turned out to be superior compared to the other offerings in this specific case. (If anyone wants to know more about other firms or their offerings, feel free to reach us out on twitter.)
Previously approved development proposal: https://polkadot.polkassembly.io/referenda/1165
Detailed audit proposal: https://drive.google.com/file/d/1rdOtoEtgHXrJxX3lPu1khv8deEOcwKz3/view?usp=sharing
Paul is the founding developer behind @noble packages which are used by different web3 ecosystems. He is well known for his contributions via @noble/curves and @noble/hashes packages which are directly/indirectly being used by the majority of the modern web3 protocols/toolings/platforms which includes even the forum you’re currently reading this proposal on!
Oak Security GmbH provides security services in the web3 space, such as threat modeling, penetration testing, security audits, and fuzz testing while following a multidisciplinary approach in their services.
Based in Munich but operating worldwide, they currently use a pool of 52 highly qualified security engineers and researchers. They operate under two brands: The Solidified brand focuses on EVM-based blockchains, while Oak Security caters to a wider blockchain ecosystem, with departments focusing on the security of Rust and Go source code, low-level protocol security, and infrastructure security, which goes beyond the realm of traditional smart contract security.
Although many of the Polkadot ecosystem tools/products already started adopting the micro-sr25519 package, Paul Miller himself advocated to get the package audited before using it in any production deployments. Currently there is an open pull request to switch from @polkadot/wasm-crypto to micro-sr25519 package in PolkadotJS suite for ecosystem-wide security and performance benefits.
What started as a quest to have the development of a missing component required for our project, have come a long way to benefit the whole Polkadot ecosystem. Edgetributor SubDAO as the curator of this proposal will be representing Oak Security in OpenGov and in other operational duties. Edgetributor SubDAO will be responsible for the custody of the USDC (in a multisig) which needs to be disbursed to the Oak Security in two mentioned phases. Oak Security also requires a legal entity to sign the contract and for the same purpose Edgetributor SubDAO will utilise the legal entity of Edgeware DAO Association (Swiss Association) to save the costs and time required to involve PCF.
The entire amount corresponding to this proposal (except the refundable bridging buffer) will be going to the auditing entity Oak Security. In this whole process, Edgetributor SubDAO or Edgeware DAO or any Edgeware contributors are not getting financially benefited by any means. We are interested in exploring the BD bounty for our time and efforts contributed so far, especially for the screening of the auditing firms, comparative analysis of their offerings and follow-ups.
Budget distribution:
Notable terms:
Total: 34500 USDC
Multisig: 14XNJmoUzkvmh9cYoqG4axBRR4BWzWRbnFP79oiZgKu7V9bz
Threshold
Dear @Shankar | Edgeware DAO ,
Thank you for your proposal. After initial discussion and research, we consider the Polkadot Assurance Legion (web, Twitter) bounty to be an appropriate source of funding for this proposal. We have contacted Valery (Twitter) from the bounty team for confirmation.
Therefore, our first vote on this proposal is NAY. Our impression is that the team's requirement to receive stablecoins can be addressed through necessary adjustments to the EMA calculation applied by the bounty curators.
Please feel free to contact us through the links below for further discussion.
Kind regards,
Permanence DAO
Decentralized Voices Cohort IV Delegate
📅 Book Office Hours
💬 Public Telegram
🐦 Twitter
Edited