Summary
Back to Medium Spender
Rejected
Requested:
97.00K DOT
#67 Security Audit of trustless Ethereum 2.0 Light Client, developed as a Substrate Pallet
Description
AI Summary
Votes Bubble
Timeline
Evaluation
On Chain Info
Stats
t3rn has developed a trustless Ethereum 2.0 light client as a Substrate Pallet, compatible with all Dotsama Parachains, for the benefit of the Polkadot Ecosystem. t3rn’s parachain will have the Ethereum 2.0 light client pallet installed on Polkadot and will be available via an accessible API; our portal precompile interface simplifies integration with smart contracts, enhancing process automation.
The clients standard pallet interface streamlines blockchain interactions, reducing technical difficulties and boosting efficiency. Lastly, through the use of the t3rn protocol, we facilitate secure and convenient cross-chain transfers and swaps, broadening the reach of blockchain operations.
Having developed the pallet, we are seeking support in covering the auditing costs, ensuring utmost security, before pushing our product to market.
Please view the full proposal here
Show More
Please Log In to comment
Users are saying...
Based on all comments and repliesOverall 42 % of users are feeling optimistic. Oak Security has granted auditors access to their private repo and is awaiting confirmation of readiness for an audit. They plan to continue unit functional testing and increase test coverage while open-sourcing code documentation alongside security audits results. Additionally, they are considering ongoing monitoring of light client upgrades over time due to anticipated hard fork updates in Eth2.
Overall 57 % of users are feeling neutral. A project seeker is inquiring if their code is open source and requesting a link to share it, while another participant suggests amendments for a proposal submission, including detailed testing methods, resource allocation, experience with ETH2.0 Light Clients audits, and considering the Polkadot Assurance Legion bounty program.
AI-generated from comments
6Comments
0%
0%
100%
0%
0%
12q7...87jL
Is ze code open source? If so can share link pls
12bM...P5F4
The private repo has been made accessible to the auditors cited in the proposal and we are more than happy to have then confirm this.
However, we don't believe it makes sense to open source the project prior to auditing. Other than that, the pallet is deployed to Rococo and there are screenshots of the working code in the proposal itself.
Happy to answer any other questions you may have
(Edited)
I would be curious to see the maturity of the code to better understand if it is ready for a security audit. Does the code have the following characteristics:
- Commented code
- Are all TODO's/FIXME's removed
- Is there supporting documentation
- Are functions named coherently
- Do you have a full test suite including fuzz tests
Also, have you considered running this through the Polkadot Assurance Legion?
12bM...P5F4
thanks for the heads up, happy to get connected with Polkadot Assurance Legion, you can reach me on Telegram if you would like to discuss further
The most important parts of eth2 light client are all unit tested with >80% coverage of the codebase, and the status quo as outlined in a proposal:
- continue unit + functional testing and increase test coverage.
- code + docs will be open sourced and published alongside with the security audits results. It's safe to assume more bugs will come out during the following QA + audit phases
Here is a link to the Discord https://discord.gg/k5d26T7JMM
12Qz...hT1m
Hi, community! We are Oak Security, one of the auditor firms mentioned in the proposal. Our public audits reports can be found here: https://github.com/oak-security/audit-reports Given some of the questions, we would like to clarify the following:
- We have been provided with access to the source code
- We have performed a pre-audit validation of the source code and deem it ready for audit within the timeframe provided by the team
- We have previously worked with the team and have provided them with security advisory to ensure smooth audit preparation and full readiness in line with our guidelines
- All findings will be made public at the end of the audit
We hope this clarifies the questions.
1EHR...L2c8
(Edited)
If the assurance legion bounty doesn't take care of you (it may be outside their scope), we'll vote aye on a repost. But please also resolve/handle some/all of the issues mentioned by Taylor. Thanks
12bM...P5F4
@5CHzH9A3gYs7DJdgVRHG7gKgzqpb1yTV8E2CtV3NT7R59Ya7
I will certainly provide you with updates on the ongoing discussions with PAL.
Considering the significance and past achievements of the Eth2-Polkadot bridging solutions, it would be beneficial to include at least two experienced auditors to review the combination of Substrate, Eth2, and Solidity. There are several hard fork updates anticipated for Eth2. As such, it would be ideal if we could arrange for ongoing monitoring of the light client upgrades over an extended period.
Issues previously raised by Taylor have been addressed and resolved before launching this referendum.
The functional version of the light client for Sepolia (an Eth2 testnet) is accepting the latest headers on t0rn's testnet parachain on Rococo(-> ethereumBridge pallet on PolkadotJS explorer) and available to test it for any event or transaction inclusion validation by using the most recent data from Sepolia available at Sepolia Etherscan.
Thank you for reaching out and happy to provide more context where needed
15aS...xNK3
(Edited)
If this doesn't pass, I would encourage you to resubmit this proposal with some amendments:
- Submit a smaller proposal that only covers the first audit and fund a portion such as 5-10% yourself towards the audit. This way you also have some skin in the game.
- Work with Oak to Include the statement of work and test plan for the audit as currently scoped. Your current proposal does not go into much detail about what will be tested and how. i.e. - static analysis, manual review, fuzzing, formal verification? How many resources are you provided and what is the length of the engagement? Does Oak Security have experience auditing other ETH2.0 Light Clients?
I think with those changes and adding further information. you'll be in a much better position to get this passed.
Cheers,
-0xTaylor
12bM...P5F4
@0xTaylor__ Both OAK and Halborn employ the mentioned techniques - static analysis, manual review, fuzzing, and formal verification. That being said, it's a fair point that we could have provided a more detailed breakdown of the auditing processes.
Anyways, thanks @0xTaylor for advise + feedback here. 3 more days here until we know the results, we will evaluate and decide our next steps from there 🤞
15uQ...hq6w
Hello,
We are in the process of validating a true need for a service to assist teams with crafting and completing successful treasury proposals, so they can focus on building. We would love to hear about your experience with this proposal. If you are willing to take a few minutes, please fill out this form about your experience with the OpenGov treasury proposal process: https://forms.gle/MwDij4adXEQd7Um79
Feel free to leave out any details that your team is not comfortable with sharing, but the more info you can provide, the better we will be able to assess the potential need for our services.
For more info, follow us on Twitter/X: https://twitter.com/OpenGovAssist
Discover similar proposals
Medium Spender
#1526 SQD (fka Subsquid) - Public Data Indexing Infrastructure for Polkadot and Kusama ...
13bf...tdoE
Summary
Proponent: Subsquid Lab Official - 13bfKSQXoBn3AMLtZaW6BKv797fqZzsD3PYF6xpJDir3tdoE Beneficiary: Subsquid Lab Official - 13bfKSQXoBn3AMLtZaW6BKv797fqZzsD3PYF6xpJDir3tdoE
Contact Details: Subsquid Labs GmbH 6300 Zug, Switzerland mf@subsquid.io
Short description: Ongoing development and maintenance costs for public SQD Archives
Archive raw data: Archive Infrastructure Metrics - July, August, September
Requested: $310,592.98
Previous proposals: https://polkadot.polkassembly.io/referenda/1447
Motivation
A) Archives
Archives are an important piece of Polkadot and Kusama data infrastructure provided by SQD (formerly Subsquid). They provide access to on-chain data for public chains in the Polkadot ecosystem. They are being used as a data source for Squids and for efficient data exploration and ad-hoc queries. The Archives, as performant data sources of historical on-chain data, are critical to the operation of backend APIs run by major projects in the Polkadot ecosystem.
Popular Polkadot dApps and projects that depend on SQD include the following:
- Tanssi Network
- Talisman Wallet
- Polimec
- Polkassembly
- Apillon
- Hydration
- Giant Squid API (maintained by LimeChain)
- SubWallet
- FiDi
- KodaDot
- RMRK
- ChainSafe (in particular the Multix multi-sig, as well as other projects)
- Phala Network
- Stellaswap
- Polkascan
Since the beginning of 2024, SQD has transitioned to a paid model for supporting parachains. However, public chains continue to be available for free use. Throughout the Q3 of 2024, we provided a free public data indexing service for Substrate blockchains, allowing interested parties to access indexed data on Substrate Events, Extrinsics, Storage Items, and EVM logs. Below is a list of the public chains we currently support at no cost:
- polkadot
- kusama
- asset-hub-kusama
- asset-hub-polkadot
- bridge-hub-polkadot
- collectives-polkadot
- rococo
- westend
B) Contribution
During Q3 2024, we addressed real-world use cases that were highly requested by the community:
- Supported Substrate extrinsic v5, enhancing compatibility for newer Substrate-based chains.
- Updated squid templates to the new data decoder interface.
Achievements
Increase in Archival Data Demand and Infrastructure Scaling
During Q3’24, archival data demand increased approximately 3.6 times, from 3,265 GiB in Q2 to 11,713 GiB in Q3. We addressed the increasing demand for archival data by enhancing our infrastructure's throughput and redundancy through deploying archives to OVHCloud in addition to GCE, while also empowering our maintenance and engineering teams to support the expanded infrastructure effectively.
Decentralization of the SQD Network Enhancing the Polkadot Ecosystem:
In Q3’24, we continued to empower the SQD Network, driving forward our mission to strengthen the Polkadot ecosystem’s decentralization and resilience. By the end of the quarter, the SQD network had grown to include 1139 active Worker Nodes, securely storing 574TB of data and serving approximately 11TB of data per day. This expanding decentralized infrastructure enhances data processing and storage capabilities, delivering increased security, fault tolerance, and scalability for the Polkadot network.
Statistics and data
Over the course of Q3 2024:
- Served a total of 12,576,410,498,732 (~11.44 TiB) of data from the substrate based archives.
- Served 979,736 archive requests from substrate based archives.
- The highest daily total data transfer recorded for Substrate was 375.57 GiB within a single 24-hour period (2024-09-19).
Costing
This proposal encompasses the combined costs for running Archives for Polkadot, Kusama, and other public chains, along with the development contributions, amounting to a total of $310,592.98.
Raw data for Archives can be seen here.
The proposal is submitted towards the Polkadot treasury. Here is a summary of the running costs for Archives, in a tabular format:
Contribution costs:
See More
Deciding