Open Dexaran opened 6 years ago
There are two types of participants in the Security Department:
Callisto Security department performs free security audits for smart-contracts. Anyone can create a request for security audit of a smart contract by submitting an "issue" in the corresponding repository of Ethereum Commonwealth organization: https://github.com/EthereumCommonwealth/Auditing
For smart-contracts, the following order of audits is determined:
After the audit request has been created, it is viewed by the audit manager. If the request meets the requirements, then the auditing manager assigns it approved
status. approved
label means that the audit request is available for auditors for picking.
If there are several requests with different priorities in the queue, then the manager should assign the approved
status only to contracts with the highest priority. The remaining contracts will be checked after the audit of the contracts with the highest priority has been performed. If there are several contracts in the queue with the highest priority, then the audit manager should assign the status of approved
to all these contracts simultaneously. In this case, the contract that auditors will begin to check first will be checked earlier.
After an audit request with an approved
label appears, an auditor can pick it by commenting the issue and indicating how much time it should take to audit this smart-contract (roughly/ in days). After that, the auditor can start reviewing the code immediately. Other community members may also pick the request and submit their audit reports. These reports must be reviewed by auditor manager at the end of the auditing process. If the audit request was approved, but none of the auditors picked it, then the audit manager can appoint auditors to check this request if they are not engaged in checking another smart-contract.
Auditing manager must comment that the audit is successfully started and mention github nicknames of all the auditors which will be responsible for the check of the corresponding contract after several auditors have picked the issue-request. The audit manager must also comment his contact email, to which the auditors will send their secret gists (audit reports).
After the auditor began to check the code, he must create a secret github gist and send it to the auditing manager by email. An auditor must not reveal the audit report gist or publish it anywhere, so that only auditing manager and auditor (gist owner) could review it during the auditing process.
After the auditor has completed the verification of the code, he should comment to the appropriate issue that his audit report is completed. NOTE: An auditor must not reveal his report gist!
After all the responsible auditors have completed their reports, the audit manager must compare the reports.
If there are no significant discrepancies in the reports and no critical errors are detected, then the audit manager must complete the audit by summarizing the reports and submitting secret gist urls in the comment of the corresponding audit request-issue. The audit is considered complete after all the responsible auditors have submitted their reports, and the audit manager has summarized the results of these reports and published report gist urls.
If one of the community members has expressed a desire to participate in the audit of this contract and also sent his report to the audit manager, then the audit manager must review the report and comment its secret gist url to the corresponding github request-issue regardless of whether the audit was already completed or not.
After the audit was completed, the audit manager may inform the customer about the results without revealing the reports. After 15 days from the date of informing the customer about the findings, the reports should still be published and the results summed up.
The main task of each security auditor is to check the code for security-related mistakes and write a report on the detected errors after the audit is completed.
If an audit request (issue) which is labeled approved
appears in the list, the auditor may pick it. The audit manager can also appoint an auditor if he is not currently engaged in any smart contract checking, by mentioning their github nicknames in the corresponding issue. If the auditor was appointed to a certain issue by the auditing manager, then the auditor must perform a verification of the corresponding contract.
After the auditor has received the objective of his work, he must comment the time that, in his opinion, will be required to verify this smart-contract.
The auditor must create a secret gist (audit report template) and send it to the auditing manager by email. WARNING: the auditor must never reveal the gist url. It will be revealed by auditing manager at the end of auditing process.
The auditor must check the contract code, perform necessary testing and describe findings at the secret gist (audit report).
Other auditors, community members and the audit manager will also check this smart contract, so the auditor is not incentivised in hiding the errors found or trying to exploit them.
The audit report name should start with a capital letter. Use underscores instead of spaces between words, write reports in .md
format.
The report should contain a title describing to which contract or contract system the report belongs.
The report should contain the following sections:
Briefly describe the audit report, the purpose of a contract (or contract system) that was reviewed and key features of the contract.
This may be important to understand the inner logic of the contract or a contract system.
Specify the range of contracts, the version of the contracts that have been verified. If the source code was published on Github, then specify the commit hash.
Specify which files or contracts were not checked during the audit if there were any contracts/files that were excluded for some reason.
Summarize the total amount of mistakes and their severity.
severity
)Describe each bug/mistake/error separately
Severity assigning:
high - vulnerability can be exploited at any time and cause a loss of customers funds or a complete breach of contract operability. (Example: Parity Multisig hack, a user has exploited a vulnerability and violated the operability of the whole system of smart-contracts (Parity Multisigs). This could performed regardless of external conditions at any time.)
medium - vulnerability can be exploited in some specific circumstances and cause a loss of customers funds or a breach of operability of smart-contract (or smart-contract system). (Example: ERC20 bug, a user can exploit a bug (or "undocumented opportunity") of transfer
function and occasionally burn his tokens. A user can not violate someone else's funds or cause a complete breach of the whole contract operability. However, this leads to millions of dollars losses for Ethereum ecosystem and token developers.)
low - vulnerability can not cause a loss of customers funds or a breach of contracts operability. However it can cause any kind of problems or inconveniences. (Example: Permanent owners of multisig contracts, owners are permanent, thus if it will be necessary to remove a misbehaving "owner" from the owners list then it will require to redeploy the whole contract and transfer funds to a new one.)
minor observation - other code flaws, not security-related issues.
Give a link to a fragment of code that can lead to an error that you describe.
Describe this finding in detail.
Write down how the bug can be fixed if you know how to do it. However, fixing bugs is not the primary goal of the security auditor.
Describe the most important findings and their relationship to the main purpose of the contract. Describe how the internal logic of the contract is related to its purpose. Indicate whether the contract is safe or any critical problems needs to be resolved.
https://gist.github.com/Dexaran/2389d5e7290ab69709d33abfe0485bec
Are you guys still open to hiring smart contract security auditor? @Dexaran
@alijnmerchant21 currently we are not hiring fulltime security auditors. We are accepting audit requests from DAPP developers and then allowing any third party auditor to sign up for an audit (each audit request is performed by 3 auditors in theory).
Here is a list of audit requests (watch issues): https://github.com/EthereumCommonwealth/Auditing
We are not paying for security audits from Treasury at the moment so auditors can only be paid if the audit requester agreed on providing the funding for the audit.
As you can see there are audit requests in "awaiting payment confirmation" status.
hi
Yes hello
Le ven. 23 sept. 2022 à 02:09, AstrobiaTech @.***> a écrit :
hi
— Reply to this email directly, view it on GitHub https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1255702983, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOKYA6BGDICTSBVPN7EH3QDV7T7MZANCNFSM4E6GE6UA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hi
On Fri, 23 Sep, 2022, 2:53 pm SERGE, @.***> wrote:
Yes hello
Le ven. 23 sept. 2022 à 02:09, AstrobiaTech @.***> a écrit :
hi
— Reply to this email directly, view it on GitHub < https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1255702983 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AOKYA6BGDICTSBVPN7EH3QDV7T7MZANCNFSM4E6GE6UA
. You are receiving this because you are subscribed to this thread.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1255983371, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZ5BJHGDDBNQFIUXKRYUCRDV7VZIPANCNFSM4E6GE6UA . You are receiving this because you commented.Message ID: @.***>
Thanks
Le mer. 5 oct. 2022 à 17:30, AstrobiaTech @.***> a écrit :
Hi
On Fri, 23 Sep, 2022, 2:53 pm SERGE, @.***> wrote:
Yes hello
Le ven. 23 sept. 2022 à 02:09, AstrobiaTech @.***> a écrit :
hi
— Reply to this email directly, view it on GitHub <
https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1255702983
, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AOKYA6BGDICTSBVPN7EH3QDV7T7MZANCNFSM4E6GE6UA
. You are receiving this because you are subscribed to this thread.Message ID: @.***>
— Reply to this email directly, view it on GitHub < https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1255983371 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AZ5BJHGDDBNQFIUXKRYUCRDV7VZIPANCNFSM4E6GE6UA
. You are receiving this because you commented.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1268663754, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOKYA6CY5ZZ3RHF33SJLHUDWBWUIRANCNFSM4E6GE6UA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hello, Are you still hiring for the smart contract auditor role?
Yes, I am still available.
On Thu, 15 Dec, 2022, 8:23 pm Ashish Patel, @.***> wrote:
Hello, Are you still hiring for the smart contract auditor role?
— Reply to this email directly, view it on GitHub https://github.com/EthereumCommonwealth/Proposals/issues/2#issuecomment-1353217159, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZ5BJHG4HBMTSML7SJ3UND3WNMWGFANCNFSM4E6GE6UA . You are receiving this because you commented.Message ID: @.***>
Ok
Duplicate of #
Anything related to hiring smart-contract security auditors contact @yuriy77k directly: t.me/@yuriy77k
Description
Callisto Team is looking for smart-contract security auditors. Security auditors should check smart contracts for errors and publish reports. Smart-contract security auditors are paid depending on the result of their audit reports.
In addition, smart-contract security auditors will participate in the initial Security DAO testing.
For any questions contact dexaran@callisto.network and yograterol@callisto.network.
Skills
Salary
Salary is assigned based on the amount of work done and the results (found vulnerabilities/ missed vulnerabilities).
Average salary of a smart-contract security auditor (solidity) for February 2019 is equal to $2049.07 (525402.6675 CLO; this can be verified through the history of transactions)