Security audit is a MUST!

Hey @andrey, the expert cryptoers are afraid of hacking vaults like DeFi platforms. They mean the vaults (bridge wallets) by “bank”.

2 Likes

@duy/@andrey/@jindouyunz, I need to bump this topic.

It will be practically impossible for Incognito to get any real traction without a third-party audit.

I assume that the project has a sufficient war chest with PRV north of 1$ to pay for an independent audit. What’s causing the delay?

2 Likes

Besides the audit, do/will we have any insurance fund? Please do not forget that thieves always are one step ahead of police in the security world.

1 Like

Hey @3ncrypt3d if you refer to the audit of the smart contracts, recently it was audited by https://twitter.com/samczsun and reported here -> How a smart contract vulnerability was discovered and fixed

Next in the line is Portal v3 smart-contract. Once the development is finished, we plan to audit it as well.


Any models on how it should be designed and operated?

4 Likes

Thanks for the quick reply, @andrey. I was referring to the go code, though.

1 Like

I didn’t think about the governance (should be decentralized of course) but I think financially we have three alternatives:

  • Some part of block rewards :slight_smile: The validators’ task is to “secure” the network. The insurance fund is about the security of the network. So, I think the validators shouldn’t object to this reserve.
  • Adding some shielding fee proportional to the shielded amount, say %0.1. The rationale is that privacy for a cross-chain solution is not so cheap. If any user wants such privacy, then she should take some responsibility.
  • Hybrid. lower shielding fee and lower part of block rewards.
2 Likes

But wasn’t that more of a rando hacker successfully finding a double spend bug just by trying for fun?

2 Likes

I wouldn’t say that samczsun is a random guy :slight_smile: But as I mentioned the new audit is upcoming. Once Portal V3 is finished we plan to audit the contracts again.

3 Likes

I did not either. I pointed to the fact it was seemingly unsolicited.

Calling an unsolicited, successful hack a “securing audit” is quite the stretch I would say. From the available info he could’ve emptied the pools!?

I find that worrisome and given the fact this network operates as a decentralised bank, third party verification of the code is not a neat gimmick, but rather a must have for anyone to trust enough to deposit real value. The project can only benefit from this, it might be the biggest block on the road for new users.
Looking forward to the progress on this.

6 Likes

For sure, we will keep the community updated on this topic.

5 Likes

Holding quite a lot in this project at the moment, I did have a question.

You mentioned auditing the contracts, but will there be or is there already an audit of the incognito core, it’d just be reassuring to know every part of such a large project has been audited so there’s no small exploits or loopholes people may take advantage of :slight_smile:

6 Likes

This is not an audit.

1 Like

If things were audited incognito team would publish the reports and link them to the smart contracts on etherscan.io

But there has been none.

This is an example of what a smart contract that is audited looks like:

image

The idea of audits is to find bugs before you start accepting user money… how much money is wrapped up in these unaudited contracts?

Yes, it is a good event that an eth security dev just happend to discover a vulnerability but that is not an audit

If you want to see what is included in a published audit report, click on 1 of 8 reports published on 1inchexchanges contracts linked above

Actually I will link them here:

11 Likes

can we get a update on a security audit.
incognito needs it.

5 Likes

Something I found today and I thought it is worth to share.

3 Likes

First post here, and I do agree audit is a must ! I know some people who will be happy to move in significant amounts once audited by a few, maybe even backed by some insurance.

9 Likes

Any progress on this?

3 Likes

Hey @Semaj, the contract with Coinspect is signed, and the audit is in progress. The first reports should be ready within a couple of weeks.

14 Likes

Great news.

4 Likes

good news

3 Likes