CHARLi3 - V3 Architecture Audit

[GENERAL] Name and surname of main applicant

Robert Hever

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Incorporated)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

2

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

We will contract a reliable lab (Anastasia and CertiK are viable options) to do a full audit of our on-chain code, off-chain code, and node software. Audits range from 75-150k + inhouse work.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

1. External Audit Team: we will depend completely on our contracted auditing team (Anastasia Labs or CertiK) to conduct the audit and code review
2. Metalamp and Mlabs: During the audit process, issues may be discovered that require remediation to pass the audit. In addition to our in-house development team, we relied on contractors at both development companies in creating our Third Generation decentralized oracle architecture. If parts of their work requires remedy, we will use funding from this proposal to pay those teams to fix their parts of our solution.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

The results of the audit will be publicly available.

If we proceed with CertiK, it will add more details to our current public CertiK "Skynet" section: https://skynet.certik.com/projects/charli3

Several parts of our architecture are open source (Datum standard, Node Software, etc) and will be available to the public for review.

[SOLUTION] Please describe your proposed solution.

We will proceed with a similar audit as we conducted with CertiK in 2022 with the appropriate outsourcing contracting team.

Existing Product

Example of our price feeds (Second Generation architecture active since Oct 2022 with 99.99999% uptime):

https://cexplorer.io/address/addr1wyd8cezjr0gcf8nfxuc9trd4hs7ec520jmkwkqzywx6l5jg0al0ya/tx#data

Documentation to consume the feed: https://docs.charli3.io/charli3s-documentation/summary

Charli3.io's decentralized oracle solution contains off-chain code that interacts with node software run by federated or external node operators. This software is parameterized by customers or in the case of community free price feeds, our team as dictated by the community. In simple terms, the node software is run by 5 operators who have specific data sources (eg APIs) to call at specific times (when triggered by an event such as a rapid price change or periodically at a set interval). Each individual node software filters data (Data Firewall) then calculates a median value to be placed on-chain to be consumed by the Charli3 on-chain oracle aggregator contract. This contract consumes values from that specific network of node operators and processes it using our proprietary algorithm. The output of the Charli3 on-chain contract is a final data value placed on-chain in our open source format for anyone to consume. In addition, our on-chain oracle contract evaluates data values placed on-chain by operators against the final value then punishes those that fall outside an acceptable range (by eliminating those operators and their value from being part of calculation and rewards, and in egregious cases having operators staked amounts slashed or in the most extreme cases legal proceedings against their insurance fund being made on behalf of paid consumers damaged by any wrong-doings.

While all this happens in mere milleseconds, we have internal alert and monitoring software that tracks in real-time all data sources, nodes, and values placed on-chain; in order to respond efficiently and proactively to potential outages.

Details of the Audit

There are multiple parts of our architecture that will be reviewed under this audit that include:

1. Objective of the audit:
2. Scope:
3. on-chain oracle contract audit
4. off-chain node software audit
5. off-chain charli3 back-end audit
6. Security review
7. Alert and Monitoring system review
8. Audit Details:
9. We will contract a team (TBD) of equal or better quality than CertiK to conduct a full scale end-to-end review of our architecture
10. A focus on providing a public transparent report on our node software, handling of data by our node networks, and the on-chain consensus algorithm that filters data being put on-chain (e.g. identifying outliers and ensuring bad node actors do not influence data)
11. Methodology:
12. A line-by-line code review
13. Thorough testing with public results
14. Corrections addressed to pass the audit
15. Timeline of the audit is 8 weeks
16. Outcome:
17. Certified audit by a reputable organization
18. Detailed public report similar to https://skynet.certik.com/projects/charli3

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

In summary:

1. Increased trust in Charli3 price feeds will lead to more adoption and better protocols
2. Assurances that Charli3 architecture and node networks are robust will provide increased trust in our current customer's protocols
3. Audits can identify enhancements for the future to better improve our solution
4. As one of the older solutions in ecosystem, we demonstrate to others the high standard in the Cardano ecosystem to continually get audits
5. Protocols will use better data feeds

Protocols relying on centralized or in-house solutions are taking potentially greater risks than if they used decentralized oracle data from Charli3.

Data sources go down, APIs update without notice, and in-house logic breaks without a dedicated team and monitoring solution focused 100% on ensuring up time.

Our flagship 2nd generation architecture mainnet feed (ADA/USD) has been up for over 12 months with 99.99999% uptime. Despite that track record, communities in Cardano want external independent validation that our feeds are supplied on a strong architectural foundation.

Charli3 is ready to launch our updated architecture and significantly expand our community free price feed offerings (planning on 30-50 new feeds in Q1 2024).

We want the community to trust our price feeds and an additional audit, similar to the CertiK one we completed in 2022, will gain the confidence and trust of the community to depend on our feeds.

The positive outcome will be more protocols using more secure data feeds and ensuring their users are best protected from bad, missing, or manipulated data.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Charli3 knows how audits go from our experience with CertiK. We also have good relationships with many top audit teams in the community.

The caliber and track record of the team we pick will lend trust to voters that the audit will be serve its purpose.

Anastasia Labs and CertiK are our top two choices, both with comparable costs.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

1. Sign contract with audit team and publicly announce partnership
2. Provide public roadmap for completion

Deliverable:

Audit contract is signed and public is informed of timeline/scope if different from proposal

1. Begin Audit
2. Audit process set by auditing team and may adjust after their first pass review of our solution; should involve the following:
3. Line-by-line code review
4. Integration and dependencies review
5. on-chain/off-chain review
6. Security review

Deliverable:

Audit is in progress.

1. Report from audit team certifying we passed or;
2. Report from audit team describing issues and remedies required to pass the audit

Deliverable:

Audit Report received

1. If Audit is passed, then proceed to final milestone
2. If Audit has issues to remedy, then
3. In-house development makes necessary changes to pass audit
4. Contracting teams are brought in to fix any changes to their contributions to our codebase/architecture

Deliverable:

Roadmap for fixing issues is created and teams are assigned work to resolve them.

1. If Audit is passed, then proceed to final milestone
2. If Audit has issues to remedy, then
3. In-house development makes necessary changes to pass audit
4. Contracting teams are brought in to fix any changes to their contributions to our codebase/architecture

Deliverable:

Report after issues are resolved, may need to repeat process multiple times before passing audit.

Deliverables:

1. Audit company issues a certified report passing or failing the Charli3 solution.
2. This information is made public and, in the event of recommendations or failure a public roadmap for resolving any issues will be issued.
3. Open sourcing parts of our solution that have passed audit and are acceptable for public review (for security reasons)

[RESOURCES] Who is in the project team and what are their roles?

Project Lead: Robert Hever

Technical Lead: Deep Bhatt

Core Development team: charli3 team

Auditing team - Anastasia Labs or CertiK

• CertiK is the leading security-focused ranking platform to analyze and monitor blockchain protocols and DeFi projects. It is one of the most highly respected teams across all layer 1s.
• Anastasia Labs is a Haskell consultancy specialized in developing mission-critical blockchain applications. They are particularly apt for this audit being a haskell consultancy for reviewing our on-chain contract, but more importantly they are experienced auditors in the Cardano ecosystem and have worked on several significant solutions... such as Wanchain, Wingriders, Lenfi

(optional): Contracting support teams: Metalamp, MLabs

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Previous Audit Cost

In 2022, CertiK conducted an audit of our second generation architecture that focused on the on-chain and off-chain code. This audit cost around USD$120,000 to have highly skilled consultants at USD$250/hr review of our solution and create reports on it. It spanned 8 weeks, with 3 audit team members working full-time for approximately for 3 weeks (2 weeks to start, 1 week to report, and part-time inbetween to support us on understanding remedies).

Previous audit cost:

3 Consultants (USD$250/hr) x 40 hours per week x 4 weeks = USD$120,000

The entire audit process took around 480 person-hours of work from their audit team. In addition to the audit team work, our own team focused entirely on the audit remedies during that time period. For our first audit, we had limited contractor teams supporting us. For this second audit, we do have contracting teams that contributed significantly to our upgraded Third Generation architecture. As such, we include costs to have those contractors work on any relevant changes to their contributions.

Third Generation / Second Audit Estimate:

Additionally, with our newest third generation architecture, our codebase is a lot larger (30% more) and our solution involves more moving parts including Alert and Monitoring systems, Data Firewalls, and significantly more complex solutions written in both the off-chain and on-chain code.

Estimated Breakdown of costs:

• Top Tier Audit team
• Conduct audit and provide certified public report
• USD$250 hourly x 624 hours of work (30% more hours than first audit)
• Approx cost: USD$156,000 (Approx 350,000 ADA)
• Inhouse or external development team
• Resolve issues and work on remedies as prescribed by audit team
• USD$75 hourly x 5 inhouse or contract developers x 4 weeks
• Approx cost: USD$60,000 (135,000 ADA)
• Leftover fund usage:
• In the event that our team does not use all the funding (overestimated), we will donate that funding to the Community Price Feed Funds so the proceeds go towards maintaining and providing free data feeds to the ecosystem; that said, we are confident that our estimate is within 10% of what the actual costs will be... learning from our mistakes in previous funding rounds we will swap ADA to USDC as soon as it is received to avoid losing value.

TOTAL FUNDING: 485,000 ADA at today's ADA/USD rate

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

Context:

Charli3 has focused exclusively on delivering data through node networks accurately and securely since 2021. Our flagship ADA/USD feed has been active on Cardano mainnet since Oct 2022 with 99.99999% uptime. We are the only solution that is Cardano native in the sense that our node operators post their data values on-chain fully transparent and auditable, and our consensus algorithm occurs on-chain, fully transparent and auditable. Whereas other solutions simply post values on-chain and all other transactions/processes are not natively on Cardano, Charli3 is completely native to the chain.

Demand of the ecosystem:

If the ecosystem has increased confidence that our data price feeds are accurate, reliable, and secure, then more builders/protocols will consume them. Shifting from in-house solutions to a dedicated fully focused decentralized oracle solution will increase security on those protocols and protect users. Thus uplifting the ecosystem as a whole to the standards of other chains (e.g. Link/Pyth/Supra on ETH).

Audit aligns with our launch plans:

Charli3 will be launching 30+ price feeds for in Q4 2023 to Q1 2024 that are freely available for public consumption. This is catalyst funded and community driven. These are long delayed, but ready with our new architecture to launch. An audit will bolster confidence in the community that these feeds are dependable. Where builders can slap together a couple APIs and a multi-sig then take risks that data sources go down, multi-sig processes fail, or black swan events stress their system, they now have an audited free option to use feeds that pulls from 14+ APIs has 5 nodes and a team fully dedicated on ensuring uptimes. For example, 7 data sources could go down for our Third Generation ADA/USD feed and 2 nodes could go off-line and our feed would still supply reliable and accurate data from their sources on-chain. With our alert and monitoring system, we are proactively looking for an anticipating downtime to resolve with our dedicated support team. This is may be in place with in-house data integration solutions, but likely not.

An audit increases trust with the community to use our free community feeds and that will make the Cardano ecosystem more secure and inviting for new users to the chain... it will bring new users to protocols that use our feeds too.

An audit will provide the confidence and trust of builders to use those feeds, thus saving them thousands of dollars a month on data costs using other solutions -- or even worse -- if they do not use a dedicated solution like ours, they risk catastrophic data issues such as de-pegging in DeFi protocols or stale data missing deviations during times of volatility. As we move into the bull market that is potentially coming, this risk is greatly increased.

The Charli3 feeds do not pull data from 3-5 sources, but sometimes 10+ so a single price feed cycle contains 70+ API calls and 100s of "triangulations". We hope an audit can help gain the confidence of the community to start using our service we spent 2+ years refining.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.

I Accept