The Weekly Yax #20: Code 423n4 Audit

The Weekly Yax is the easiest way to keep up with the yAxis Project. Every Sunday, we highlight major news and developments, alongside key takeaways from the week’s episode of Ya Herd?

Major News & Developments

Ya Herd? Week #20 Key Takeaways

This week’s episode was motivated by yAxis’s engagement with Code 423n4 (C4 for short) to conduct a smart contract audit contest as a part of its v3 security diligence. yAxis utilized this week’s Ya Herd?, including special guests Ellie and Lou from C4, as an opportunity to further inform the community about C4’s approach, contest structure, and differentiators. We’d like to extend a thank you to Ellie and Lou from the entire yAxis community for their willingness to participate in the conversation, answer community questions, and convey the value created for yAxis by engaging C4.

Code 423n4 Approach

The Code 423n4 approach aligns freelance security researchers and the abundance of DeFi projects seeking audits in both a time- and cost-flexible manner. Both of these attributes enable yAxis to tailor security diligence to closely match its current development stage, needs, and budget.

By providing the contest infrastructure to organize the audits, C4 creates competition among security researchers (check out the leaderboard here). This more “decentralized” methodology for auditing establishes market-based incentives for smart contract security experts, attracting top talent and generating broader exposure to individuals that bring with them a wide range of perspectives. By aggregating these different perspectives to produce a holistic review, C4 strives to help yAxis and the DeFi ecosystem as a whole become more secure.

Contest Structure

C4’s smart contract audit contests consist of three major parties:

  1. Sponsors
  2. Wardens
  3. Judges

As the project seeking a security review, yAxis is the Sponsor for its contest and has established a contest pool of $60,000, $30,000 in YAXIS and $30,000 in USDC, to attract Wardens to review its contracts. Wardens are the security researchers who hunt for issues in yAxis’s contracts. Wardens have varying levels of involvement ranging from a few hours per contest all the way up to full-time engagement. Throughout the contest, Wardens will engage with the yAxis development team to ask questions, discuss approaches, and raise security issues in real time.

Once Wardens identify issues, Judges review the issues found and allocate awards from the contest pool to security researchers based on the number of issues they discovered, the severity of those issues, and whether other Wardens also discovered those same issues. Further documentation on each of the roles is available here.

yAxis’s contest, as with most C4 contests, will run for one week until September 15th. The goal is to have as many Wardens look at the v3 code as possible over the contest length. A final report will be published after the contest concludes and yAxis, as the Sponsor, will resolve issues as necessary. yAxis also has the optionality to run a follow-up contests on any mitigations.

You can review the other reports Code423n4 has produced here. yAxis’s report will not only be valuable to yAxis, but also help the entire DeFi space continue to learn. Greater security across the ecosystem is a rising tide that lifts all boats.

Value Proposition

yAxis is interested in the value of an actual security review, not just an audit certificate, which, as discussed in Week 18 v3 Launch Strategy edition, is a desire compromised by a mismatch of incentives in the current audit firm landscape. Explosion in demand for audits from the burgeoning DeFi industry has created conditions under which audit firms are incentivized to cut corners, in both review time and the number of review personnel. Audits have become more about obtaining the shiny certificate than the actual security review itself — and DeFi projects are left without the leverage needed to ensure a proper review. Remember that audit firms are not required to find any issues, merely to complete the review.

Further, this incredible demand for audits have stretched timelines far beyond reason, often 6 months or more.

Code423n4’s value proposition helps resolve this incentive mismatch for yAxis. The time flexibility ensures that yAxis can pursue its development goals on a reasonable time horizon. The market-based, competitive approach taps into a larger, more diverse talent pool of security researchers than the one or two reviewers that yAxis would receive from an audit firm. The “pay for findings” structure is a more efficient allocation of project resources. And finally, the organic, real-time process with open communication between Wardens and the yAxis development team and the optionality to run a subsequent contest on mitigations follows a more natural problem-solving process that optimizes for best outcomes, rather than completeness.

yAxis is excited to engage with C4 throughout this process and looks forward to remaining on the forefront of DeFi security practices.

The full recording of this week’s episode can be found on YouTube and in podcast format.

yAxis Project Stats of the Week

  1. MetaVault TVL $2.2 million.
  2. YAXIS LP 463% APY (186% APR)
  3. Staking rewards are currently paused in preparation for the launch of the v3 staking contract. Learn more about the v3 staking gauges here.

Join Us: Bounties & Jobs

Coordinated by the yAxis Champions Programme, the yAxis Bounty Board lists requests for proposals (RFPs), where community members can respond to specific Project needs and receive compensation upon task completion. See the current opportunities below and check the Bounty Board frequently as more opportunities will be added over time, such as the recently added Convex Development Bounty, which led to this pull request.

If none of the current opportunities appeal to you, but you would still like to contribute, reach out to waali@yaxis.io. You have the opportunity to shape the next era of yAxis.

That concludes the twentieth edition of The Weekly Yax. Thank you for reading and looking forward to many more!

Onward and upward, Herd!

DeFi made easy