[RFP] Independant Auditor - cducrest

cducrest · June 20, 2024, 10:55am

About me

I am cducrest, offering my services as an independent auditor. I worked as an auditor at Brainbot Technologies A.G. completing several private audits and finding a critical live bug in a millions-raising project.

I performed decentralized audits contests on Sherlock and Code4rena, achieving multiple top positions.

Later, I audited multiple protocols for Gnosis (Safe modules, CoW Swap modules, staking contracts, bridges contracts, …).

Most of my audits involve non-disclosure agreements but some of my findings can be seen on https://cducrest.github.io/auditor-blog/

Approach

My approach to auditing will be to thoroughly go through the code and read it line by line. I will especially look for the following issues:

Price Oracle Manipulation
Erroneous Accounting
ID Uniqueness Violations
Inconsistent State Updates
Privilege Escalation
Atomicity Violations
Use of safeTransfer for ERC20
Fee-on-transfer / rebase token
Blacklist tokens
Front/back-running transactions
Signature malleability
Parallel data structures
Asymetrical code
Use of unsafe delete

I will also run automated tools such as slither, mythril, and fuzzing tools where necessary. I will analyze the results to make sure there is no vulnerabilities that could be missed.

Scope

My understanding from [RFP] Audit of Keyper Staking and Delegated Staking Mechanism and [Development] Staking and Delegate Mechanism - Blockful is that the scope of the audit will be the src directory of GitHub - blockful-io/shutter-staking: Development of a Staking mechanism for ShutterDAO not too far from commit 73f5afe7197695b76eb43cc46f74de66f370cbcd:

src/Staking.sol 588 lines of code
src/RewardsDistributor.sol 150 lines of code
src/interfaces/IStaking.sol 63 lines of code
src/interfaces/IRewardsDistributor.sol 19 lines of code

I understand that the code is not ready yet and will change in the near future. I expect the line counts and complexity not to vary vastly.

I will produce a report with detailed findings and severity. I will include remarks about code or gas optimizations where justified. I will allow the development team to fix the found vulnerabilities and review the fixes as long as they do not include a complete re-write of the code base.

Deadline

I expect to deliver a report to the development team a week after the work can be started (i.e. agreement is reached on the work and a commit hash and repository are made available).

Budget

The total allocation of 10.000 USDC is to be paid in full after the report is produced and sent to the development team. The review of fixes is performed free of charges and incurs no costs as long as they do not include a completer overhaul of the code base (modifications exceeding 40% of the audited lines of code).

Links

https://github.com/cducrest

https://audits.sherlock.xyz/watson/cducrest-brainbot

https://cducrest.github.io/auditor-blog/

Topic		Replies	Views
[RFP] Audit of Keyper Staking and Delegated Staking Mechanism DAO Proposals rfp	2	135	July 16, 2024
Proposal to Launch an RFP for Auditing the Technical Contribution in Developing Staking DAO Proposals	2	175	June 12, 2024
[RFP] Proposal to audit the Delegated Staking Mechanism of ShutterDAO 0x36 DAO Proposals	0	51	June 25, 2024
[Development] Staking and Delegate Mechanism - Blockful Shutter DAO	7	400	September 30, 2024
[RFP] Keyper Incentive and delegated Staking: Subvisual DAO Proposals rfp-proposal	2	111	May 15, 2024