One advantage of not being contracted to do the audits is that I can pick which audits to do (With comments from the readers, of course).
13 July — BZX — I am picking bzx for two reasons. First it has already had a few fund loss issues resulting a drop in funds resulting a flight of capitol. Will the audit indicate problems? Second reason is that it was one of the original defiscore candidates.
A new way to audit blockchain programs. Audits that are done for the users not the developers. Audits that are not paid for by the developers or scheduled for their requirements.
We look at the public artifacts of deployed contracts, check them against straightforward questions and grade them on their response. A short summary of the process is here and the detailed process here.
The basic premise of these audits is that developers following and documenting a good software development process should have secure code and maintain security. It is easier and quicker to audit the publicly available documentation than to do a proper comprehensive software audit Well documented packages are easier to support and understand, making them safer places to put money.
Advantages of PQ Audits
- Single consistent standard for all audits (so direct comparison possible)
- Can be refreshed regularly (say once a quarter)
- Can be done without consent of the contract owners
- Incentivizes improvement
- Process and reports are public so it is more difficult to have a good report without justification
- The questions clear, leaving little room for judgement and interpretation.
- The process can evolve as technology and knowledge evolves. We can update old audits with the new process
Dis-Advantages of PQ Audits
- Only audits process (documentation, tests and Github quality, audits done). It does not audit code quality or financial models
- Funding model could be weak (gitcoin grants)