Security audit is a MUST!

Having followed and being a maker+staker, I strongly suggest we do a security audit. The liquidity is $2.69 M now, neither users nor team could bear such loss.
Auditing is an ongoing process, we could start with the most important part, e.g. contract/collateral of money in/out, then we complete the rest step by step.

21 Likes

hey @jindouyunz. we’ve been talking to open zeppelin and peckshield.

open zeppelin is really good, but it looks like they only do audit for ethereum smart contacts. we actually like peckshield a lot! not only they can audit for our ethereum bridge smart contracts, but they can also do audit for the incognito chain.

do you have any other recommendations?

10 Likes

Hi, very happy to see you considering that. I’m not an expert in this field. I heard of Trail of Bits many times, they give an audit on Monero last year. Someone recommend Certik. In China, Slowmist is very famous, if you’re interested, I could introduce.
Great job! Keep Moving!

4 Likes

yes, any intros are much appreciated! we hope to finalize the audit firm soon.

we hope to find one that can audit not just ethereum smart contracts but also have experience auditing large code base of a full blockchain with more than 1M lines of code like incognito. it would be best if they have cryptographers on their team who can audit our privacy code. also, ideally, they should have experience with auditing other PoS networks, especially those implementing sharding.

my email is [email protected] and my telegram is @duy_incognito if that’s more convenient for you to make the intro. thank you!

4 Likes

This seems like a good list of options to look into.

2 Likes

I recommend NOT using Kudelski. They did a poor job auditing a large golang blockchain code base for the company for which I work.

3 Likes

Thanks for your kind suggestion.

1 Like

Hey @duy, @andrey,

Is there any progress on this issue? As a rebel, I continuously promote the project in the crypto world in an honest way. The main concern of knowledgeable people is bridges. For example, one of the response to my comment was this: “the bank aspect of the project does present a bit of a risk, so it is important that the team takes the appropriate precautions. I do like the theory of being able to transform any standard crypto into a privacy coin, so I’ll make sure to keep checking in on this project from time to time and see how it develops.”

5 Likes

Hey @abduraman thanks for following up. Be sure that also care about the security of the network even more than anyone else.

To be honest I didn’t get the exact issue you point. But if you mean a security audit - it’s in an active phase. The whole summer we continuously do an internal security audit of the most important components of the chain and application layers.

4 Likes

Assurance of decentralization would probably greatly increase confidence that funds can’t be unilaterally confiscated so people would be able to leave large balances on the incognito blockchain. Hope that helps. I like this project a lot. :pray:

3 Likes

Hey @FFa the full decentralization is one more direction we work on. I think you will find this publication interesting Incognito's pragmatic approach to decentralization . It’s an explanation of the current state and direction where we go.

3 Likes

Hey @andrey, the expert cryptoers are afraid of hacking vaults like DeFi platforms. They mean the vaults (bridge wallets) by “bank”.

2 Likes

@duy/@andrey/@jindouyunz, I need to bump this topic.

It will be practically impossible for Incognito to get any real traction without a third-party audit.

I assume that the project has a sufficient war chest with PRV north of 1$ to pay for an independent audit. What’s causing the delay?

2 Likes

Besides the audit, do/will we have any insurance fund? Please do not forget that thieves always are one step ahead of police in the security world.

1 Like

Hey @3ncrypt3d if you refer to the audit of the smart contracts, recently it was audited by https://twitter.com/samczsun and reported here -> How a smart contract vulnerability was discovered and fixed

Next in the line is Portal v3 smart-contract. Once the development is finished, we plan to audit it as well.


Any models on how it should be designed and operated?

3 Likes

Thanks for the quick reply, @andrey. I was referring to the go code, though.

1 Like

I didn’t think about the governance (should be decentralized of course) but I think financially we have three alternatives:

  • Some part of block rewards :slight_smile: The validators’ task is to “secure” the network. The insurance fund is about the security of the network. So, I think the validators shouldn’t object to this reserve.
  • Adding some shielding fee proportional to the shielded amount, say %0.1. The rationale is that privacy for a cross-chain solution is not so cheap. If any user wants such privacy, then she should take some responsibility.
  • Hybrid. lower shielding fee and lower part of block rewards.
2 Likes

But wasn’t that more of a rando hacker successfully finding a double spend bug just by trying for fun?

2 Likes

I wouldn’t say that samczsun is a random guy :slight_smile: But as I mentioned the new audit is upcoming. Once Portal V3 is finished we plan to audit the contracts again.

2 Likes

I did not either. I pointed to the fact it was seemingly unsolicited.

Calling an unsolicited, successful hack a “securing audit” is quite the stretch I would say. From the available info he could’ve emptied the pools!?

I find that worrisome and given the fact this network operates as a decentralised bank, third party verification of the code is not a neat gimmick, but rather a must have for anyone to trust enough to deposit real value. The project can only benefit from this, it might be the biggest block on the road for new users.
Looking forward to the progress on this.

5 Likes