Approve Polkadot Assurance Legion Bounty
Requested bounty: 540,000 DOT
The subject of this proposal is to set up a bounty which will be used to help selected Polkadot parachains undergo rigorous audit procedures.
The primary goal of the proposal is to contribute to an overall greater level of security in the Polkadot ecosystem. Its secondary goal is to establish a pool of high-quality auditing companies specialized in Rust (specifically Substrate pallets and ink! smart contracts) which, over time, will help make audits more accessible for the whole Polkadot ecosystem, and make Substrate more attractive to new builders.
This proposal is brought forward by the Polkadot Assurance Legion (PAL) - a security governance club comprising the following parachain teams: HydraDX, Interlay, Astar Network, Manta Network, Acala, Centrifuge, Zeitgeist and Equilibrium.
Payouts via the bounty mechanism are open to any Polkadot parachain, subject to a set of eligibility criteria and criteria for determining priority.
The bounty will be managed by 7 curators who are well known within the Substrate community for their expertise in Rust development and security.
Full proposal:
https://docs.google.com/document/d/1I1vXSG6mjeeulKmRbG4lrERtqVGwHNyDR9pVE4wSQvI/edit#heading=h.30vpm6dndo0i
Comments (13)
Proposal Passed
Summary
0%
Aye
0%
Nay
Aye (90)0.0 DOT
Support0.0 DOT
Nay (74)0.0 DOT
Hello team,
Question... Why should the relaychain public funds be used to audit non-system parachains' code?
The onus should be on the individual parachains to prove to the relaychain public that their code is safe and not the other way around... don't you think?
Please advise..
Thanks and best regards
Milos
Hi @gatotech, the parachain teams do pay for security audits, this would provide additional funding to get more auditor eyeballs on the vast amounts of code that secure this protocol. Also, note there is a stipulation that the code submitted for audit must be open source and thus reusable. As these are entirely new primitives (pallets/runtime logic), there is even more likelihood for reuse.
Lastly, it may not be apparent but part of my strategy with this program is to court security researchers to Polkadot through programs like Code4rena which will be invaluable to the success of this protocol.
What if a Parachain does not want to subscribe to the PAL 'certification'? I am concerned that it creates a perceived standard that would deem parachains which didn't apply for an audit with PAL as unworthy and unsafe. If a potential parachain project forks one of the 7 curators' parachain and made slight tweaks to what was implemented, and then successfully obtains a parachain lease, would there be any conflict of interest in allowing for audits to happen for that new parachain? How would the conflict of interest be resolved in this case? Thanks!
@58a6e18d6427423d87ea03f37 hi, thanks for your question. To clarify, we are not providing a certification with this program. Audits in general do not provide a certification because they are time-boxed, point-in-time reviews of code and as such, there are other factors that can play into a security vulnerability.
While I don't know of a reason why a project would not want to participate in this program if they so choose not to, that is their prerogative. Regardless of that, I think the public should base their confidence on how much the project cares about and focuses on security. If a project chooses to not audit their code, the public is probably justified in not trusting it. If they do their own audits with reputable firms, I don't see why they shouldn't have trust. Also, while most curators are part of an L1 blockchain, I am an exception as I do not work for any blockchain project. in fact the other curators sought me out to join because of this fact and their interest to maintain fairness and trust.
If a forked codebase was submitted to be audited here, I don't know why the original team would take issue as it would also help them (given the codebases are similar).