Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
117 lines (70 sloc) 7.66 KB
AGP Title Author Status Track Created
18
AN Security Partner (Authio)
JackG (@ganejackS)
Approved
Finance
2018-01-09

AN Security Partner: Authio

Address of the transfer recipient

We request funds to be sent to the multisig 0x7c975dAb7a747786A24fa0114a144d263f12C0b2 . This multisig will be used for the cold storage of received funds.

Amount of the transfer

  • $215k paid in DAI (or other stable assets)

Authio is intentionally opting to not request ANT. Such an incentive may pose, or appear to pose, a conflict of interest and impede an auditor's ability to conduct themself in an independent and objective fashion.

Number and frequency of transfers

  • $175k paid one time
  • $8k per week for 5 weeks

Purpose of the transfer

Summary

Authio is a security firm focused on mitigating security risk and technical debt for those building applications on the Ethereum Virtual Machine (EVM). Our commitment is to provide regular audits and reports pertaining to the security of the Aragon smart contract code base with actionable feedback for developers and readable summerizations for the broader Aragon community.

If Approved by ANT vote, Authio Inc. and the Aragon Association shall enter a master service agreement to execute Trial Period Deliverables and set criteria for continued engagement over an annual term(s).

Trial Period Deliverables include a Baseline Security Audit followed by ongoing support to Aragon development teams in the form of Rolling Audits for Aragon releases.

Period of Performance: Trial Period

  • Baseline Security Audit - 7 weeks, Jan. 24th - March 14th
  • Rolling Audits - 5 weeks, March 14th - April 18th

To ensure Authio can adapt to the emergent needs of Aragon’s developers, Authio requests:

  • Baseline Security Audit - One-time $175k in DAI (or other stable assets)
  • Rolling Audits - $8k in DAI per week for 5 weeks

Trial Period Deliverables

As Aragon Network Security Partner, Authio serves as an apolitical, independent auditing body whose responsibility is to the Aragon community first. This responsibility motivates many aspects of the deliverables, which are separated into two categories: (i) the Baseline Security Audit and (ii) the Rolling Audits and Reporting.

1. Baseline Security Audit (Est. 7 Weeks)

Reporting on the security of future Aragon releases depends on a Baseline Security Audit of the current Aragon release. By establishing a baseline, we can perform rolling audits that contribute to a historical record of Aragon's system. Additionally, the understanding gained from the Baseline Security Audit ensures we can accommodate existing Aragon development cycles best, as it is required to target the evaluated changes efficiently.

Focus areas:

  • Deployment Process: Aragon’s core system relies on a system of proxied contracts that implement various Aragon applications. It is crucial to Aragon’s on-chain infrastructure that many of these proxied contracts initialize correctly. Reviewing the current Deployment Process allows us to understand why that process should, or should not change over time.
  • System Overview: Code reviews are more than just finding errors and bugs. The code produced by Aragon should behave in alignment with intended product behavior and user expectations set by the project. Developers may accidently introduce misaligned behavioral artifacts into code. An independent audit serves to parse the exact language used in public communication about the code, and create an impartial, generally-understood model (the System Overview) that the current codebase code must adhere to at all times.  
  • Assessment Criteria: Creating the System Overview will naturally formalize some of the criteria required to perform an audit. Upon receiving specifics of Aragon’s upcoming release cycle, an analysis of their development process will significantly inform the structure of the audit itself. This structure maintains a set of Assessment Criteria, which are quantitative and qualitative metrics against which the code will be evaluated.
  • Reporting Strategy: Receiving access to Aragon’s development communication channels and release schedule allows Authio to schedule Rolling Audits and reporting periods around releases, as well as inform a development-milestone-based strategy for report content. The most effective Reporting Strategy produces granular, developer-focused feedback during intermittent patches and commits, supported by comprehensive, high-level summarizations during minor and major releases.
  • Audit for Compliance: Finalizing the Assessment Criteria and Reporting Strategy prompts the final task in the Baseline Security Audit: the audit for compliance with established criteria. Using the data points from the Baseline Security Audit we can assess compliance for rolling audits. The end of the task is marked by a public audit report as previously described in Reporting Strategy.

2. Rolling Audits and Reporting (Ongoing)

As a fundamental component of the Aragon development release process, we will be evaluating (on a rolling basis) progress made toward fulfillment of specifications contained in Aragon’s public documentation. Given that technical requirements and documentation may update over time, the Rolling Audit process is only valid if it evolves to track changes. Tracking these changes is crucial, as it provides insight on the effectiveness of the assessment criteria for various Aragon projects over time.

Focus areas:

  • Deployment Process: Reviewing the previous reporting on Deployment Processes ensures any changes to the Deployment Process are well-understood.
  • Update Profile: As the audit profile is slowly updated over time and as Aragon’s user base grows and community matures, the changes made to Aragon’s system specification will be reflected in the historical audit profile. Each subsequent Rolling Audit will factor in changes made to documentation, project scope, published milestones, and more. These changes will be reflected through an update of the System Overview and Assessment Criteria.
  • Audit for Compliance: Finalizing updates to the Assessment Criteria and System Overview prompts the final task in the Baseline Security Audit: the audit for compliance with established criteria. The end of the task is marked by a public audit report, the structure of which is described by previously-developed reporting strategies.

Requirements


  • AA shall provide development release schedules to Authio to coordinate schedules for Rolling Audits
  • AA shall provide due cooperation required to fufill Trial Period Deliverables

Team


Authio is a team based in the United States.

Security/Engineering Team

Operations Team

Organization Structure

  • A company incorporated in Delaware, United States

Recipient information

Organization

Name: Authio Inc. (see Delaware company registry)

Website: authio.org

Team member(s) who will be managing funds from this transfer

Name: Alexander Wade

Name: Luke Leitzman

License

Copyright and related rights waived via CC0.