Gearbox DAO

Summary

This proposal aims to request funds from the DAO in the size of 15000 USDC, in order to pay for an audit of new integrations. The audit will be conducted by Decurity and Watchpug over the span of 1 week. Gearbox has always placed security front and center. Smart contract auditing is critical to ensuring the safety of user funds and it is also critical to building trust with users, so allocating a budget for auditing new integrations and updates seems reasonable.

Audit scope

This is a limited-scope audit that reviews integrations as discussed between Gearbox contributors and Decurity / Watchpug.

The following adapter / price feed contracts are reviewed by Decurity:

• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters-3_0/contracts/adapters/sky/DaiUsdsAdapter.sol
• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters-3_0/contracts/adapters/sky/StakingRewardsAdapter.sol
• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters-3_0/contracts/helpers/sky/StakingRewardsPhantomToken.sol
• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters/contracts/adapters/sky/DaiUsdsAdapter.sol
• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters/contracts/adapters/sky/StakingRewardsAdapter.sol
• https://github.com/Gearbox-protocol/integrations-v3/blob/sky-adapters/contracts/helpers/sky/StakingRewardsPhantomToken.sol
• https://github.com/Gearbox-protocol/oracles-v3/blob/next/contracts/oracles/updatable/PythPriceFeed.sol

The following price feed contracts are reviewed by Watchpug:

• https://github.com/Gearbox-protocol/oracles-v3/blob/pendle-pt-pf-3_1/contracts/oracles/pendle/PendleTWAPPTPriceFeed.sol
• https://github.com/Gearbox-protocol/oracles-v3/blob/pendle-pt-price-feed/contracts/oracles/pendle/PendleTWAPPTPriceFeed.sol

Budget Breakdown

The total budget for final review includes 15000 USDC payment (10 000 USDC for Decurity audit and 3000 USDC for Watchpug audit, and 2000 USDC is proposed to be reserved as an extra if required). Post-audit, the community can expect a detailed audit report, highlighting any vulnerabilities found and their severity. Like it was always done before (https://docs.gearbox.finance/risk-and-security/audits-bug-bounty).

About Decurity

Decurity is a team of veteran hackers who dived into the blockchain and smart contract security in the early days. Top-2 in @Paradigm and @OpenZeppelin CTF, previously audited Gearbox, 1inch, yearn, compound and other protocols (check here for details).

About Watchpug

Watchpug is a security team that collaborates with protocol developers, offering practical security knowledge and in-depth auditing for Solidity smart contracts. Previously did several audits of Pendle (check here and here).