Last updated 2 years ago
Liqwid Protocol Security Audit
Problem
DeFi protocols built in Plutus are new, untested design patterns for constructing UTXO smart contracts that will soon hold billions in TVL.
Solution
We want to integrate continuous code review of Liqwid smart contracts & conduct a security audit of the protocol leading up to v1.0 launch.
Total to date
This is the total amount allocated to Liqwid Protocol Security Audit.
About this idea
Liqwid Labs is developing an open source and non-custodial liquidity protocol for earning interest on Cardano native assets and borrowing assets. The project's main goal is to facilitate more efficient lending pools on the Plutus extended UTXO smart contract layer introduced in Cardano's final phase of the Goguen updates.
MLabs Haskell developers have been selected as one of the software firms working with the IOHK Plutus delivery team on the private testnet. The developers have also committed to training other Haskell devs and producing open source DeFi tooling to open up Cardano DeFi development to non-Haskell devs.
Our development team is working with two of the top Haskell firms to complete the proposal deliverables:
1. Continuous code review and advisory services from expert Haskell software consultants Well-Typed: https://www.well-typed.com/
2. Protocol security audit of all Liqwid smart contracts from the team that architected Cardano's Plutus platform Tweag: https://www.tweag.io/
*MLabs developers met with Duncan Coutts from Well-Typed for the first advisory/code review session on Liqwid's DAO and Governance modeling in the eUTXO Plutus environment.
*The protocol security audit scheduled start time and resources are confirmed with Tweag.
To learn more about Liqwid and our recent development updates:
https://www.youtube.com/watch?v=JhO5iC08xSA
All of the code developed will be open sourced under the Apache 2.0 License. A final version of the security audit report will be made public. The best practice design patterns, tooling and testing resources that emerge from this proposal will all be made open source.
# MLabs work on Open Source Haskell: https://www.mlabs.city/
Across our team we have initiated and contributed to many open source projects, including static and JIT compilers (Cython, Numba), Haskell data processing systems (Streamly), build systems and frameworks for Purescript (Spago and Parcel), front-end frameworks (Halogen), Haskell schema validators (Medea), database libraries (beam, beam-mysql), Redis bindings (Hedis), the Nix and Haskell build system and packages (nixpkgs, cabal-extras), string and string parsing libraries (text-ascii, io-streams-ascii, bytestring-lexing), metrics and monitoring libraries (prometheus-haskell) and many more. Some of the libraries we have developed are actively used as part of existing payment stacks and payment processing systems.
https://github.com/mlabs-haskell/liqwid-contracts/
https://github.com/juspay/beam
https://github.com/juspay/mysql-haskell
https://github.com/juspay/hedis
https://github.com/juspay/bytestring-lexing
https://github.com/juspay/medea
https://github.com/juspay/medea-ps
https://github.com/kozross/text-ascii
https://github.com/kozross/io-streams-ascii
https://github.com/purescript/spago
https://github.com/purescript-halogen/purescript-halogen
https://github.com/NixOS/nixpkgs
https://github.com/cython/cython
https://github.com/numba/numba
# Core Development team:
6 senior Haskell fullstack developers: 4 full-time devs, 2 part-time devs.
# Metrics/KPIs:
1. Number of advisory/code review sessions with Well-Typed engineers.
2. Number of high level design patterns/models established from Well-Typed advisory/code review sessions.
3. Number of issues found during smart contract security audit by Tweag engineers.
4. Number of best practice Plutus development approaches established from code reviews and the security audit.
# Deliverables
1. The code review sessions with Well-Typed have begun and will continue for the duration of the protocol development (next 3.5 months) (currently capped at 10 hours of code review/advisory services per month). Best practice Plutus approaches to DeFi smart contracts will be made open source following these sessions.
2. The development team is targeting early July for an external protocol security audit of the Plutus contracts to be performed by Tweag.
# Relevant Experience
We are the protocol architects and maintainers of Liqwid Protocol, the team is composed of Cardano veterans and domain experts in financial auditing, asset/risk management, IT/devops and Haskell.
Liqwid Labs is a software development startup focused on building open finance solutions on Cardano. Together we've aligned around a vision to implement a more efficient and secure set of lending products, by the people, for the people.
MLabs Consulting has worked extensively in the fintech and payments space and for the past two months on constructing Liqwid Protocol contracts. Their clients include Juspay and Tillit, which respectively are B2C and B2B payments companies in India and Europe.
At Juspay the MLabs team heads up the migration of the payments stack from Purescript to Haskell and the migration from Groovy to Haskell. At Tillit the MLabs team helps to build the backend systems for B2B payments, and the associated DevOps. Work on other projects includes front-end development, artificial intelligence and machine learning.
Tweag is a software innovation lab that specialized in Haskell development for fintech applications/platforms. They are most notably known for their work in the architecture/design of Cardano's Plutus platform.
Well-Typed is a top Haskell consulting firm led by Duncan Coutts who brings extensive hands on Cardano experience as IOHK's Lead Technical Architect. The team has a depth of experience with Haskell tools, libraries, development techniques and their consultants will work alongside our core development team with both code review and advice on the tools, best practices and dev approaches our team should make use of during development.
# Budget/Resource Breakdown
We have divided the budget out across all deliverables and costs including VAT:
Deliverable 1. We estimate the Well-Typed team will dedicate ~40 engineering hours over the next 4 months of protocol development and 1-2 full time equivalents (FTE) for Haskell engineers.
30 engineering hours - Code Review/Testing and QA
10 engineering hours - Project Advisory Services
Fixed cost for this work which is composed of developer's salary, accounting/taxes and VAT: $52,500
Deliverable 2. We estimate the Tweag team will dedicate ~78 engineering hours to complete the Plutus contract security audit starting in early July and 2-3 full time equivalents (FTE) for Haskell engineers.
40 engineering hours - Code Review
20 engineering hours - Delivery of Initial Audit Report
10 engineering hours - Verification Review
8 engineering hours - Final Audit Report
Fixed cost for this work which is composed of developer's salary, accounting/taxes and VAT: $56,500
Liqwid Labs has retained the legal services of Dunsmoor Law to navigate the compliance/regulatory landscape we are developing and maintaining the Liqwid Protocol in as a Wyoming based entity. Our legal counsel is secured indefinitely at a fixed retainer cost.
Fixed cost for the legal retainer: $10,000
119000Monthly report
NB: Monthly reporting was deprecated from January 2024 and replaced fully by the Milestones Program framework. Learn more here
Progress report
Team
Liqwid Labs is building an open source lending protocol in Plutus with a team of 6 senior Haskell devs and development partner MLabs.
