AA communication - update on addressing security needs in the Aragon Flock program
AGP-43 provided discretion to AA over contracting with security partners. In this regard, a new process is being determined where AA can coordinate security efforts on behalf of Flock teams as smoothly and fairly as possible.
Discussions started last week during a call with ConsenSys Diligence and A1 and were prolonged during a meeting in Berlin gathering members of Flock teams and the Aragon Association. From these discussions the following emerged:
B) The Request for Security Review (RFSR) Process
Phase 1: Flock teams submit Security Executive Summaries (SES)
Flock teams will communicate their security needs for a given quarter, by submitting issues with the SES to this repo.
The main things specified in an SES:
- The components to be audited (contracts, apps…)
- Some documentation and links to the different components for auditors to evaluate the workload
- An estimation of the priority of each component with a quick explanation of the stakes
Phase 2: Aragon Association Prioritization
At this phase, the Aragon Association will review SESs and ask questions in order to establish a prioritized pipeline of all components to be audited.
Requests will be moved from the “New Requests” column to the “AA Prioritization / Review” column.
Before proceeding to the next phase, the Aragon Association may request an intra-Network audit of a given request to gain better clarity over the request’s readiness and maturity for (an obviously more costly) external review. These internal audits could be facilitated by the implemendation of an Audit Working Group gathering members from each Flock teams.
Phase 3: Flock Security DAO (TBD: medium term)
An idea was brought up to create a 1-person, 1-vote DAO including team leaders and lead developers from each Flock team (members TBD).
This DAO could be supplied with funds, corresponding to the Network’s security budget for a given quarter, and only grant the Aragon Association (or a delegate) the permission to create votes for transferring these funds.
At this stage, requests will move from the “AA Prioritization / Review” column to the “Security DAO Voting” column and have a corresponding vote posted to the security DAO.
Phase 4: External Review
Finally, if the voting passes, the Aragon Association will do its best to negotiate optimal terms with security partners to procure an external review for the requests (SESs) provided by Flock teams.
Requests will move from the “Security DAO Voting” column to the “External Review” column.
Following the external security review, requests are considered complete and will have their issues closed.
At any time, the Aragon Association may move a request to the “Deprioritized” column to signal that the request has been deprioritized in its eyes.
Any time a request’s status changes or more information is required, the Aragon Association will provide feedback in the form of comments in the issue specifying the request’s SES.
C) RFP from auditors for Q2 auditing pipeline (see link)
Following the process described above, AA and Flock teams jointly established a first security needs pipeline for Q2 2019. We’d be interested in receiving proposals from security partners on this matter, including our past and current partners Authio and Consensys.
1st Apiary Fundraising app (Aragon Black) - 4-5 contracts to audit
- Among which 2-3 complex contracts. The most complex of these contracts are: the MarketMakerBancor contract, the Tap contract and the Pool contract.
2nd Payroll App (Aragon One) - Sensitive app, almost ready to audit
3rd/4th The Planning Suite (Autark) - 5 apps to audit
Address Book: A registry of Ethereum addresses mapped to human-readable names. Used in conjunction with the Allocations and Dot Voting apps.
Allocations: Create multi-party financial allocations which are forwarded to the Dot Voting app.
Rewards: Distribute rewards to token holders in proportion to either tokens earned in a specific period (merit reward) or total token balance (dividend).
Dot Voting: Vote on the percentage of funds that distinct entities from an Allocation proposal should receive or on issue curation proposals.
Projects: Allocate funding to multiple Github issues in a single action and collectively curate issues.