Kickback auditing result, bug bounty program, and smart contract cover.
For many people, Kickback is often one of the first experiences interacting with smart contracts and dapps. It is a scary experience.
Though the amount each person commit is small, we have been holding more than a trivial amount of money on our smart contract and we must try our best to mitigate the risk of commitment staked by event participants.
With that in mind, we are proud to announce the audit result with ZeroTrust team.
[DRAFT] Kickback Audit
TheKickback team asked us to review the Kickback contracts. We looked at the code and now publish our results. The…
It is important to disclose that we caught one minor vulnerability right after we released our new contract.
[BUG] ETH can be stack on DAI party · Issue #35 · wearekickback/contracts
Summary GIVEN a user has 10DAI on their wallet AND the user has 10ETH on their wallet AND the user manually do…
We figured out thanks to our early participants reporting UI issues.
Though the problem itself was some sort of caching issue, we looked into the smart contract itself to double-check that any misbehaviour in the front end does not end up losing fund of customers and we identified a rare scenario where user’s fund could stack at the smart contract unrecoverable. Again we thank the ZeroTrust team for quickly responding to the issue and help us resolve the case. We redeployed the new smart contract for MakerDAO’s DAISUKI meetup so the problem is resolved.
This incident also reiterates the importance of having many eyeballs underneath our system and we open up a smart contract security bug bounty program awarding 100~1000 DAI depending on the severalty of the issues.
You may think 1000 DAI is a bit too low for bug bounty , but our Kickback is not as high stake as some of the high profile Defi projects. Having said that we are going to have dozens of events on Kickback during Devcon5 and hence the commitment will go up as the events day approaches.
To visualise our overall risk, I created a small page called “The pot” which shows the total amount of ETH and DAI staked.
At the time of writing, there are 118 people committing 0.72 ETH and 985 DAI. The whole reason I created it (apart from making excuse to compete on The Graph hackathon) was to figure out how much smart contract protection mutual cover I buy from Nexus Mutual. Our maximum capacity right now (the sum of the capacity of all the events) is around 700, so I expect the total risk to be around $7000 ~ $10,000. After talking to Hugh Karp (the founder of Nexus Mutual), he confirmed that he can cover the risk up to $30,000. Since we don’t have that much commitment in the contract, I decided to buy their cover of $2000 over 30 days for ….3.08 DAI!
For the time being, I will top it up as we have more participants. However, I foresee the feature where we can integrate with our Kickback smart contract so that we can top up and down as more people RSVP and withdraw.
Interacting with smart contracts is still a scary experience for many people but we are heading towards providing more assurance and protections.