V1 Audit information

I have had back and forth with Trail of Bits regarding the V1 audit scope and timing, here’s a rundown:

Start Date: Sept 30th
Total Effort: 9 person-weeks
Dedicated Personal: 3 senior resources
Total Timeline: 3 weeks (plus however long it takes us to fix potential issues)
Broken Out Details:
Security review of the Customer source code through a combination of manual and automated review. The review will include, but is not limited to the following activities, with a rough estimate of their requisite level of effort:

  • (3 engineer-weeks) Network review (Burp, Wireshark, etc)
  • (2 engineer-weeks) Changes to Ethereum review (understanding what problems this introduces, etc)
  • (2 engineer-weeks) Focused review of keys, funds, storage, etc
  • (2 engineer-weeks) Additional fuzzing (go-fuzz/gopter level), krf fault injection, etc

Best-effort guidance after the project. After the project concludes, Trail of Bits will make its best efforts to address security questions that arise via email.

If there is something you feel is missing/needs changing/needs removed from this, now is the time to bring it up as we have not signed anything yet.

Additional details can be found in this doc.



I’m curious to know how we’ll manage branches for the audit and the development that happens in parallel. Will we create a separate instance of develop for audit on Sept. 30, and then continue building on it as usual?