PoolTogether

PTIP-16: C4 Audit Contest

PTIP-16: C4 Audit Proposal

This proposal will fund a Code Arena (C4) contest to audit the critical components of the PoolTogether codebase as well as new yield sources.

The audit is tentatively scheduled for June 16, but it’s first-come first-served so it depends on how quickly we can run this PTIP.

Abstract

This proposal will transfer 72k USDC to the C4 team to fund the contest.

Motivation

PoolTogether is continually evolving and expanding. New smart contracts are being written and existing contracts are updated. With these changes some significant risk. Any smart contract that holds or has access to user funds is mission critical and must be scrutinized before being deployed. Scrutiny must come from someone with deep knowledge of the relevant protocols as well as an understanding of smart contract attack surfaces. Auditing firms specialize in this knowledge, so they are extremely valuable in de-risking smart contracts.

The core PoolTogether codebase has received third party audits from both OpenZeppelin and Diligence. Both are great firms, and we’ve had positive experiences with them. However, auditing firms are in short supply and lead times are now very long. Additionally, our protocol has a steady stream of new smart contracts that need to be audited. The classic ‘waterfall’ model of auditing the entire system in one shot no longer fits our process. We also need an auditing firm that is willing to deal directly with protocols.

Specification

Overview

This PTIP funds the first C4 auditing contest for PoolTogether. The scope of this contest includes several of the critical core PT contracts, as well as yield sources:

Core PoolTogether contracts:

Yield sources:

Code Arena has scoped the contest and recommends a 50-70k USD prize pot. We’re going to put up 60k USDC for prizes, and allocate 10k of the pot to optimizations. C4 takes 20% on top of the prizes to cover the cost of judging and administration. That makes the total 72k USDC.

Rationale

Code Arena takes a community-driven approach to competitive smart contract audits. A contest is created for a codebase; there is a pot of funds for exploits, and another for optimizations. Anyone can privately submit exploits to the contest and a skilled expert, the “judge”, curates the exploits into a final audit report. The prizes are split among all who contributed to the audit report. This has some major advantages:

  • Less resource-constrained
  • Builds a knowledgeable community around participating protocols

To bootstrap the C4 community’s knowledge of PoolTogether, we should start with a comprehensive up-front audit. Once the knowledge has been seeded, we can start running more frequent flash contests; wherein a small piece of code (think: yield source) can have a short, dedicated contest. I think this would be a great fit for our iterative process.

Ideally, flash contests can be funded by the PT Grants Committee.

Technical Specification

USDC.transfer(0xC2bc2F890067C511215f9463a064221577a53E10, 72000000000)

  • Yes, let’s audit our protocol!
  • No, let’s not audit anything

0 voters

4 Likes

I know this isn’t a best practice but could I request this PTIP also move the remaining USDC into sponsorship of the USDC prize pool? Otherwise that USDC is sitting idle.

1 Like

That would set a precedent, wouldn’t it?

If there are a group of PTIPs that aren’t contentious, we could certainly bundle them.

This is kind of interesting…I believe the cleanest thing to do is create a separate PTIP for the USDC sponsorship to first prove it’s not contentious.

Once we establish both aren’t contentious, then we can have a combined vote to save gas.

How does that sound?

3 Likes

Fully in support of this PTIP. lets get in on chain asap.

1 Like

Also support the proposal. The reports created by C4 are of very high quality. Good point to potentially fund flash contests through Pool Grants!

1 Like

Retrospective

The C4 Auditing Contest was a big success! The auditing contest included several core contracts and yield sources contributed by the community. You can see the full scope of the audit here.

Over the past month the PoolTogether Inc. team has been working on the issues found in the C4 Contest. The competition revealed over 130 bugs and optimizations, but did not find any issues concerning the safety of user funds. Funds are SAFU! Only one major bug was discovered in our live code, which allowed users to withdraw from the pool without paying exit fees. This bug has been fixed in the builder and a patch is being deployed in PTIP-29 for older governance-managed pools.

The quality and depth of the audit was impressive; especially for such a nascent group. PoolTogether is thrilled to partner with Code 423n4 to continue growing the security community.

See the full list of issues here (will soon be public).

2 Likes

Quick note @Brendan - the last link (on the full issue set) doesn’t seem to work. But very glad to hear the scope of the audit and what it uncovered!

Yes, I’m pleased too! And thanks for the heads up. The link is valid but they haven’t made the repo public yet. They will within a few days, I believe.