AA communication - update on addressing security needs in the Aragon Flock program

A) Introduction

AGP-43 provided discretion to AA over contracting with security partners. In this regard, a new process is being determined where AA can coordinate security efforts on behalf of Flock teams as smoothly and fairly as possible.

Discussions started last week during a call with ConsenSys Diligence and A1 and were prolonged during a meeting in Berlin gathering members of Flock teams and the Aragon Association. From these discussions the following emerged:

B) The Request for Security Review (RFSR) Process

Phase 1: Flock teams submit Security Executive Summaries (SES)

Flock teams will communicate their security needs for a given quarter, by submitting issues with the SES to this repo.

The main things specified in an SES:

• The components to be audited (contracts, apps…)
• Some documentation and links to the different components for auditors to evaluate the workload
• An estimation of the priority of each component with a quick explanation of the stakes

Phase 2: Aragon Association Prioritization

At this phase, the Aragon Association will review SESs and ask questions in order to establish a prioritized pipeline of all components to be audited.
Requests will be moved from the “New Requests” column to the “AA Prioritization / Review” column.

Before proceeding to the next phase, the Aragon Association may request an intra-Network audit of a given request to gain better clarity over the request’s readiness and maturity for (an obviously more costly) external review. These internal audits could be facilitated by the implemendation of an Audit Working Group gathering members from each Flock teams.

Phase 3: Flock Security DAO (TBD: medium term)

An idea was brought up to create a 1-person, 1-vote DAO including team leaders and lead developers from each Flock team (members TBD).

This DAO could be supplied with funds, corresponding to the Network’s security budget for a given quarter, and only grant the Aragon Association (or a delegate) the permission to create votes for transferring these funds.

At this stage, requests will move from the “AA Prioritization / Review” column to the “Security DAO Voting” column and have a corresponding vote posted to the security DAO.

Phase 4: External Review

Finally, if the voting passes, the Aragon Association will do its best to negotiate optimal terms with security partners to procure an external review for the requests (SESs) provided by Flock teams.

Requests will move from the “Security DAO Voting” column to the “External Review” column.

Following the external security review, requests are considered complete and will have their issues closed.

Holding: Deprioritized

At any time, the Aragon Association may move a request to the “Deprioritized” column to signal that the request has been deprioritized in its eyes.

Misc.

Any time a request’s status changes or more information is required, the Aragon Association will provide feedback in the form of comments in the issue specifying the request’s SES.

C) RFP from auditors for Q2 auditing pipeline (see link)

Following the process described above, AA and Flock teams jointly established a first security needs pipeline for Q2 2019. We’d be interested in receiving proposals from security partners on this matter, including our past and current partners Authio and Consensys.

1st Apiary Fundraising app (Aragon Black) - 4-5 contracts to audit

• Among which 2-3 complex contracts. The most complex of these contracts are: the MarketMakerBancor contract, the Tap contract and the Pool contract.

2nd Payroll App (Aragon One) - Sensitive app, almost ready to audit

3rd/4th The Planning Suite (Autark) - 5 apps to audit

• Address Book: A registry of Ethereum addresses mapped to human-readable names. Used in conjunction with the Allocations and Dot Voting apps.

• Allocations: Create multi-party financial allocations which are forwarded to the Dot Voting app.

• Rewards: Distribute rewards to token holders in proportion to either tokens earned in a specific period (merit reward) or total token balance (dividend).

• Dot Voting: Vote on the percentage of funds that distinct entities from an Allocation proposal should receive or on issue curation proposals.

• Projects: Allocate funding to multiple Github issues in a single action and collectively curate issues.

3rd/4th Aragon Network Court (Aragon One) - 2 components to audit

• A decentralized “court” that can arbitrate “human-readable”, subjective disputes.
• A generic Staking contract for users to lock tokens into. External managers may be set for a user’s stake that can control the staked balance (by transferring it to other delegates).

Happy to see details posted on this!

I see that everything is currently listed in the AA Prioritization / Review column, but the post seems to suggest that the projects listed are currently seeking proposals.

Edit1: Also, what is the preferred channel for submitting proposals?

Edit2: Both the Autark and Court/Staking audits are listed as “3rd/4th”. Should Autark be 3rd, and Court/Staking 4th/5th?

Hey there,

Thanks for pointing that out. Issues have moved in the final panel “external review” and AA will now review proposals submitted by security partners.

A dedicated e-mail address will be provided here soon.

This is put this way because we want to remain flexible on the ordering.

Hope this answers your questions

Proposals from security teams can now be sent here: association@aragon.org