Background
As of current, the Anchor protocol has only received two audits early in this year from Cryptonics. Cryptonics have a poor reputation in the security audit space, most notably auditing pNetwork who lost $12.7m USD of BTC in September. As Anchor is nearing $4bn TVL, it is important to test the robustness of Anchors Rust contract, and additionally, provide assurance to the community that funds are safe in Anchors contracts from attack.
Having up to date audits of the Anchor protocol will ensure the long term health of the platform, and build a stronger image that Anchor is a safe haven for long term UST savings. It is not acceptable that so few audits have been performed on the protocol.
Proposal
I propose that the Anchor protocol pays for 2 additional smart contract audits from reputable auditors such as CertiK or immunebytes to provide additional verification of the security of existing contracts. This will assure the community that the Anchor protocol is robust and protected against attacks and that the security of locked funds is upheld. Ideally, Anchor should also consider a continuous auditing schedule and agreement.
Criteria is an auditor who haven’t been REKT in the past, and have a long track record of audits on Rust.
I agree with the expense, perhaps they don’t need to be reoccurring. However, I believe Anchor is in desperate need of another Audit. There is a lot of TVL.
This is something that I’ve been worried about as well mainly the fact that security solutions haven’t scaled with total TLV and the entire ecosystem.
It’d be great to hear your rationale behind selecting these organizations to do the work. Ideally I’d like it to be put together in the community via a DAO which is something I’m working on now.
Creame fiance just got hacked for over $130M. I think the community should definitely pay for another smart contract audit, if anything serious is found, it’s cents on the dollar for us!
Agree. We need to get past the one and done mindset or even calendar marked tasks mindset, and move towards auditing as a continual service that constantly monitors things like Immunefi that can scale continual auditing with TLV. This ensures an added layer of security as continual audits have a dynamic response to real-time protocol usage changes and attack vectors. It also creates a deeper knowledge of the codebase to better sense attacks signals.
The idea of this was to use a better auditor than Cryptonics. They have already audited Anchor, and have been rekt in the past (PNetwork). Are there other (better) auditors we can use?
I just want to put some perspective here, Cryptonics (Oak Security) is one of the best when it comes cosmwasm. We need to understand that Rust and cosmwasm is vastly different from solidity.
Also perfect track record auditors to my knowledge don’t exist for cosmwasm/rust. So do we really want the 1-2 solidity auditors with a perfect track record who lack specialized rust/cosmwasm code base knowledge needed ? Also, I would prefer a company that has even more intimate knowledge of our code base because they have done it before.
That said, here would be the other recommendation for a cosmwasm auditor. I will see if they are even available and if so get a quote: https://code423n4.com/
If I don’t hear back soon, I suggest we move forward with what @PFC put forward.
we probably need to decide this in short order… as we are holding the slot with them (not sure for how long), and it is already on the critical path for our 1.1 release.
Cryptonics is sketch af though. Their website is dodgy, it seems to be run by just 2 Spanish guys out of their homes. I don’t trust them, particularly with this much capital at risk. ToB have a slot in April 2022 but I suspect this is too late…
This isn’t the first audit, and won’t be the last.
If ANC tokenholders decide ToB going forward, that’s great.
I’m just not sure how governance feature allows ‘A vs B’ style voting ;-(