This post is linked from a post regarding a bug bounty proposal: 1Hive Contract Bug Bounty Program to give some context about contract audits and for discussion.
Most 1Hive contracts have not been audited to save time and money. We have had no network crippling vulnerabilities up to this point that we weren’t in a position to mitigate and contract audits that have been done in the past raised no severe vulnerabilities. Due to the recent increase in the value of HNY we are now in a position to consider having contracts audited. However, contract audits typically take months and as we are still iterating on many ideas, especially Conviction Voting, my personal opinion is that we should avoid audits for all but the most complex contracts until they are closer to being finalised.
In the case of the Faucet and Conviction Voting there are some centrally managed means to pause/recover from vulnerabilities, note there is no way to take users funds using these methods. Celeste is unlikely to have any centralised pause/recoverability mechanisms as it is a fork of an already audited code base with minimal changes. At some point in the future when Conviction Voting is more finalised, then I believe it would be worth having it audited, perhaps along with some other contracts, at which point any central locking ability can be removed.
On a personal note, it should be known that I am typically the one responsible for the smart contracts within 1hive. I am aware of the responsibility this affords me and do not take it lightly. I have financial and emotional stake within 1hive and have been working full-time on this project since its inception a little over a year ago. A couple years prior to this I worked with @lkngtn on a month long remote hackathon where we tried to build an early version of what we’re building here, the vision he had then was too forward thinking but I was convinced by it and I wanted to work on it ever since. This is to say that it’s been my interest to work on this project for years and I am fully invested in it so I will do everything I can as an engineer to ensure its success and the security of the contracts we write. To have your trust in the 1hive contracts up to this point is extremely rewarding and I hope you can continue to trust us to build these tools without auditing them along the way, slowing progress, but with the expectation that they will be audited at some point in the future.
I would also like to encourage any developers in the community to spend time in the various tech related swarms channels on Discord and look through the 1hive contracts and contribute code, ideas or concerns. The more exposure our ideas and code has the less likely it is to have bugs. It would also be great to have more developers involved in contract development and make it a more communal effort.
With that said I’m curious for suggestions regarding the auditing of contracts and interested to hear your thoughts.