Security Support until AGP Vote #2

Hello Community,

I’m a member of ConsenSys Diligence. We performed a thorough audit of the Aragon system last year, and are deeply familiar with the AragonOS and AragonApps systems.

We submitted an AGP to provide support services after the deadline, and it was rejected. I support the decision to reject that AGP, especially during this precedent setting vote.

However, we would still love to continue working to support the Aragon system. Seeing concerns about the only Security Partner proposal (AGP-18) being raised raised [1][2], I wanted to put forth the following offering:

We would be happy to provide the services outlined in the Ongoing security advisory section of our AGP from now until the next round of AGP voting. At that time, we will submit a new AGP to cover the fees for our services ($12,000 per month in ANT or DAI as stated in the proposal).

Of course there’s a risk that the voters will reject or proposal, but we’re willing to live with that for the opportunity to:

  1. continue helping to secure this amazing system
  2. move towards a new and more collaborative model of smart contract security, that builds it into the process, rather than doing it last as with the current audit model
5 Likes

I’ve been speaking privately with Maurelian on his Consensys Diligence proposal. It strikes me that his comment here about moving “towards a new and more collaborative model of smart contract security,” speaks to the potential the ANSP position has to set the right precedent for security in the Aragon network.

During our discussion, we expressed a mutual interest to carry out the terms of both proposals under a good-faith arrangement. Should AGP-18 be accepted, Authio will set aside a portion of the funds in order to subcontract the Consensys Diligence firm under the terms of their closed AGP.

Our motivation behind this arrangement is to provide the most possible value for the community from AGP-18. Diligence will reduce overhead of the initial audit by sharing knowledge gleaned from their previous engagement with Aragon. We will be coordinating to ensure the A1 developers are able to maximize the opportunity provided by an engagement with both firms. Most importantly, our collaboration ensures the formation of these ongoing security relationships can begin immediately, rather than being delayed until April. Should AGP-18 pass, ANT voters will be guaranteed not just the upside of AGP-18, but also that of the closed Diligence AGP.

Given the change in circumstances, we ask that ANT voters consider the newly combined upside of Authio and Diligence working hand in hand to ensure the strongest commitment to security for one of the largest projects in our ecosystem.

cc @maurelian

7 Likes

Confirmed. :slight_smile:

Thanks @wadeAlexC for coming to us with the proposal. We’d both be happy to help support the Aragon networks needs, and I hope have positive side effects in the security community as well.

6 Likes

Wow! This is awesome and exactly the kind of collaborative attitude that excites me about the Aragon Community :smiley: Nice work guys!

5 Likes

With the awareness that we’re working for both the community and A1, here’s an email I sent through recently to both our contacts, and Authio.

Hi All,

Thanks again to Alex for the creativity and openness that brought about this collaboration.

I want to introduce the team we’ll be providing to meet our commitments to the Aragon Network Security Partner project.

  • Sergii - Sergii is based in Berlin, and will be attending Aracon, please take the time to connect with him there ! From my time working with him, he is particularly strong at identifying reentrancy issues, and auditing algorithms.

  • Dean - Prior to joining us Dean worked in red teaming at Intel, and has the most “traditional” information security experience of anyone on our team.

  • Me - I’m a co-founder of Diligence. As I participated in the previous Aragon audit, I’ll be able to help both Authio and my team mates get up to speed. I’m also going to be interviewing the other auditors from the last round (Gerhard, Suhabe, Goncalo, Niran) to help jog my memory, and surface their concerns. But eventually I’ll move to being more like the Account Manager in this engagement.

When possible, perhaps we could create a shared channel either in Keybase, or Aragon’s Rocket Chat?

I know everyone is very busy at Aracon this week. Let me know when you’re able to get your heads above water, and we can find a time speak further about moving the Aragon codebase forward securely.