Pooltogether v5 is scheduled to launch next Thursday, Oct 19th. This new version is inspired by Hyperstructures The key properties such as unstoppable and permissionless are commendable.
At that date, launch means deploying various smart contracts both on Ethereum mainnet and L2 Optimism - please correct me if I am wrong in the list below
On mainnet, 4 smart contracts from this repo https://github.com/GenerationSoftware/pt-v5-draw-auction/tree/main/src. See Ethereum goerli https://dev.pooltogether.com/protocol/next/deployments/testnet/#ethereum-goerli
The PrizePool contract https://github.com/GenerationSoftware/pt-v5-prize-pool/tree/main/src
The prize vault and one factory for various assets https://github.com/GenerationSoftware/pt-v5-vault/tree/main/src
The twab controller https://github.com/GenerationSoftware/pt-v5-twab-controller/tree/main/src
Contracts for liquidations
Contracts for claimimg
Contracts for booster (should be postponed in my opinion)
These contracts have been audited in July and August in code4arena GitHub - code-423n4/2023-07-pooltogether and GitHub - code-423n4/2023-08-pooltogether. One other audit by a private firm has also been done.
A proposal from hats.finance has been made recently for another audit
Now the solidity code of the contracts above has seen changes since the relevant commits of the audit. Mainly because of the security findings from the audit competition. But for other reasons also. Some identified medium vulnerabilities still remain AFAIK, see eg M-22 Unmitigated · Issue #96 · code-423n4/2023-08-pooltogether-mitigation-findings · GitHub
I believe pooltogether deserves its contracts to be audited one last time, on the final commit bedore deployment for each repo.
Timing is short until launch date next week, postponing is difficult, big party with world class DJs is planned.
Money seems short, apparently no help from Grant team may be asked but we can call for poolers to lend the money. Or use retroactive grant maybe. Or something else. Anyway no money is spent if there are no findings!
With swift action and partnering with hats.finance or not, we can do it!
We may probably reduce the scope of the audit to just contracts from points 1. and 2. above. I will try to compute some data on the number of changes since last audit in the associated solidity files very soon.
Question for @sombrero : do you require the ERC20 tokens to your vault to be something specific? from one address? How much money for the vault do you need - I believe it is a proportional to the number of solidity line? How much time of a solidity engineer from pooltogether do you expect for the setup of the audit on the one hand and the classification of the possible findings on the other?