MIP#23
Vote Option:
A) Comprehensive Audit DAO + NFT + TOKEN - USDT 60,000
B) Only DAO audit - USDT 44,000
C) No
Executive Summary:
MVC is seeking a third party to evaluate the codebase security, and CertiK will review and verify the project specifications and source code with a detailed focus on weaknesses, potential vulnerabilities, and overall security. CertiK will also address its findings with solutions that may mitigate future attacks or loopholes.
Proposal:
https://drive.google.com/file/d/1NBQNkJBv3BSVXzFWmzgEH1nE-bHzgzui/view
Project Background & Mission:
CertiK’s mission of the audit is to apply different types of approaches and detections, ranging from manual, static, and dynamic analysis, as well as formal verification, to ensure that MVC is checked against known attacks and potential vulnerabilities. A highlight of failures and security issues include:
● Inconsistency between specification and implementation
● Flawed design, logic
● Reentrance, code injection, and Denial of Service attacks
● Limit exceeded on bytecode and gas usage
● Miner attacks on timestamp and ordering
CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on MVC’s project, in turn creating a more secure and robust software system. CertiK has served more than 3,000 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor. CertiK customizes its engineering tool kits, while applying cutting-edge research on smart contracts, for each client on its project to offer a high quality a delivery. As MVC utilizes technologies from blockchain and smart contracts, CertiK team will continue to support the project as a service provider and collaborator.
DLT Meteodology:
At CertiK, we implement a transparent process and make our reviews a collaborative effort. The goals of our security audits are to prove the soundness of protocol design, enhance the source code quality, and output sufficient remediations to the system. CertiK team utilizes the following methodologies in the security audit process.
Remediations and Recommendations:
The primary objective is to offer the client with actionable items and upgrade suggestions from our analysis and discovery. CertiK engineers, seasoned with general software engineering and security experience, will try their best to outline or mitigate the vulnerabilities that may affect the system as a whole. At the completion and delivery of the final report, all critical and medium findings and recommendations should be resolved.
Proposal Content:
SCOPE OF ENGAGEMENT
CertiK will assess the following files based on client’s provided source code repository.
The audit process will utilize a mixture of expert manual review, static analysis, and dynamic analysis techniques. The engagement was scoped to provide a security assessment of theMVC Release.
DAO: https://github.com/mvc-labs/mvcdao-core (LoC 1864)
NFT: https://github.com/mvc-labs/nft-core (LoC 1169)
TOKEN: https://github.com/mvc-labs/token-core (LoC 719)
Timelines:
After a thorough review from our engineering team of all provided materials, the price quote of this audit request is as follows. The price quote is based on the scope of work, date of completion, and resource allocation required.
Option A)
Comprehensive Audit DAO + NFT + TOKEN
Days Allocated: 20 business days
Start Date Proposed: February 20th, 2024 (Upon receipt of payment)
Resource Allocation: 2 BTC Security Experts
Final Price: $ 60,000
Option B)
Audit DAO:
Days Allocated: 11 business days
Start Date Proposed: February 20th, 2024 (Upon receipt of payment)
Resource Allocation: 2 BTC Security Experts
Final Price: $ 44,000
USDT Resources:
MVCDAO has ample USDT reserves to cover all associated costs. If MIP-23 is approved by DAO, the required USDT will be withdrawn from the existing community liquidity account. In exchange, an equivalent value of Space will be transferred from the DAO treasury to the community liquidity account, ensuring liquidity resources are maintained.
Workflow and deliverables:
As the leading security service provider in the industry, the CertiK team workflow prioritizes a high quality service and an excellent customer experience.
Initial & Kick-Off Meetings with CertiK
● Bilaterally agree upon preferred communication channels, auditing goals, and action items regarding: Infrastructure, product design, ecosystems, economy model, and broader cybersecurity plans
Information Gathering, Project Research, Audit Planning, and Executions
● With all documents relevant to the client’s project, perform an in-depth review, formalizing structures and plans by decomposing into smaller, auditable pieces ● Conduct the assessments based upon different approaches and methodologies, including manual, static, and dynamic analyses that are feasible for the corresponding project
Preliminary Reports
● Deliver preliminary (or weekly) reports to highlight findings/vulnerabilities/recommendations that could help the client utilize the results and address patches or updates quickly (Remediation Window)
Re-Audits
● Re-audit the design and the code changes implemented after the assessment period, holding engineering meetings, if necessary, for further discussions
Further Iterations
● Repeat the steps above to improve the code quality until acceptable security confidence is reached
Final Report
● Deliver a comprehensive report that includes all the details and practices of the audit project, which may serve as a certificate for cryptocurrency exchanges or a technical document for the client’s engineering team to utilize as a reference
Why Certik
CertiK leads blockchain and smart contract security by pioneering the use of cutting-edge technologies, including static/dynamic analysis and Formal Verification. Auditing is among one of the premium solutions that CertiK offers to its clients in its mission to verify and ensure the correctness and security of software. CertiK also contributes to the technical communities and ecosystems by providing guidance, research, and advisory about blockchain and smart contract best practices. To date, CertiK has served more than 700 clients and secured over $30B in digital assets across all major protocols. CertiK was founded by Computer Science professors from Yale University and Columbia University, with its technologies derived from years of research in academia. CertiK is backed by notable investors including Coatue, AptosLabs Ventures, Binance, Lightspeed Venture Partners, Shunwei Capital, and IDG. Additionally, CertiK has received grants from IBM, the Qtum Foundation, and the Ethereum Foundation to support its research of improving security across the blockchain industry.
Disclaimer & Remarks:
1) SPACE: Not an Investment Vehicle
MVCDAO wants to make it crystal clear: SPACE isn't a get-rich-quick scheme. MVCDAO emphasizes that Space is not an investment vehicle, but the gas within the MVC ecosystem. The value and price of SPACE may be influenced by utility demand of MVC network, there may be risks of price fluctuations. Participants are advised against purchasing SPACE for investment or speculative purposes.
Please note that MVCDAO does not make any commitments or guarantees regarding the price or value of SPACE. When holding SPACE, it should be used solely for participation in MVCDAO governance or utility purpose within the MVC network.
2) No Investment advise:
This proposal aims to boost MVC network sustainability, not to provide investment advice or analysis.
3) The audit report from [Certik] should not be used in any way to make decisions around investment or involvement with any particular project. This report in no way provides investment advice, nor should be leveraged as investment advice of any sort. The audit report represents an extensive assessing process intending to help Certik's customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology.
4) This proposal is submitted under MVC improvement proposal (MIP) framework and is subject to review and approved by all MVCer through on-chain proposal.
Last updated