196 lines
4.3 KiB
Bash
196 lines
4.3 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
# Schedule Security Audit
|
||
|
|
# Helps coordinate audit firm selection and scheduling
|
||
|
|
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../../../.." && pwd)"
|
||
|
|
|
||
|
|
AUDIT_DIR="$PROJECT_ROOT/docs/bridge/trustless/audit"
|
||
|
|
mkdir -p "$AUDIT_DIR"
|
||
|
|
|
||
|
|
echo "Security Audit Scheduling Helper"
|
||
|
|
echo "================================"
|
||
|
|
echo ""
|
||
|
|
|
||
|
|
# Display audit firm options
|
||
|
|
cat <<EOF
|
||
|
|
## Recommended Audit Firms
|
||
|
|
|
||
|
|
1. **Trail of Bits**
|
||
|
|
- Contact: https://www.trailofbits.com/contact
|
||
|
|
- Email: contact@trailofbits.com
|
||
|
|
- Cost: \$30k-50k
|
||
|
|
- Timeline: 4-8 weeks
|
||
|
|
- Specialization: DeFi, bridges, economic security
|
||
|
|
|
||
|
|
2. **OpenZeppelin**
|
||
|
|
- Contact: https://www.openzeppelin.com/security-audits
|
||
|
|
- Email: security@openzeppelin.com
|
||
|
|
- Cost: \$25k-40k
|
||
|
|
- Timeline: 4-6 weeks
|
||
|
|
- Specialization: Solidity, DeFi protocols
|
||
|
|
|
||
|
|
3. **Consensys Diligence**
|
||
|
|
- Contact: https://consensys.io/diligence/
|
||
|
|
- Email: diligence@consensys.io
|
||
|
|
- Cost: \$40k-60k
|
||
|
|
- Timeline: 6-10 weeks
|
||
|
|
- Specialization: Enterprise-grade, bridges
|
||
|
|
|
||
|
|
4. **CertiK**
|
||
|
|
- Contact: https://www.certik.com/
|
||
|
|
- Email: contact@certik.com
|
||
|
|
- Cost: \$20k-35k
|
||
|
|
- Timeline: 3-6 weeks
|
||
|
|
- Specialization: Automated + manual review
|
||
|
|
|
||
|
|
EOF
|
||
|
|
|
||
|
|
# Create audit request template
|
||
|
|
REQUEST_TEMPLATE="$AUDIT_DIR/audit-request-template.md"
|
||
|
|
cat > "$REQUEST_TEMPLATE" <<'EOF'
|
||
|
|
# Security Audit Request
|
||
|
|
|
||
|
|
## Project Information
|
||
|
|
|
||
|
|
**Project Name**: Trustless Bridge System
|
||
|
|
**Network**: ChainID 138 (Besu) ↔ Ethereum Mainnet
|
||
|
|
**Audit Type**: Smart Contract Security Audit
|
||
|
|
**Priority**: High
|
||
|
|
|
||
|
|
## Scope
|
||
|
|
|
||
|
|
### Contracts to Audit
|
||
|
|
|
||
|
|
1. **Lockbox138** (ChainID 138)
|
||
|
|
- Deposit contract
|
||
|
|
- Replay protection
|
||
|
|
- Deposit ID generation
|
||
|
|
|
||
|
|
2. **InboxETH** (Ethereum Mainnet)
|
||
|
|
- Claim submission
|
||
|
|
- Rate limiting
|
||
|
|
- Relayer fees
|
||
|
|
- Batch operations
|
||
|
|
|
||
|
|
3. **BondManager** (Ethereum Mainnet)
|
||
|
|
- Bond posting
|
||
|
|
- Bond slashing
|
||
|
|
- Bond release
|
||
|
|
- Batch operations
|
||
|
|
|
||
|
|
4. **ChallengeManager** (Ethereum Mainnet)
|
||
|
|
- Fraud proof verification
|
||
|
|
- Challenge mechanism
|
||
|
|
- Finalization logic
|
||
|
|
- Batch operations
|
||
|
|
|
||
|
|
5. **LiquidityPoolETH** (Ethereum Mainnet)
|
||
|
|
- Liquidity management
|
||
|
|
- Fee distribution
|
||
|
|
- Minimum ratio enforcement
|
||
|
|
|
||
|
|
6. **SwapRouter** (Ethereum Mainnet)
|
||
|
|
- DEX integration
|
||
|
|
- Slippage protection
|
||
|
|
- Route validation
|
||
|
|
|
||
|
|
7. **BridgeSwapCoordinator** (Ethereum Mainnet)
|
||
|
|
- Bridge + swap coordination
|
||
|
|
- Claim verification
|
||
|
|
|
||
|
|
8. **Libraries**
|
||
|
|
- MerkleProofVerifier
|
||
|
|
- FraudProofTypes
|
||
|
|
|
||
|
|
## Focus Areas
|
||
|
|
|
||
|
|
1. **Economic Security Model**
|
||
|
|
- Bond sizing calculations
|
||
|
|
- Slashing mechanics
|
||
|
|
- Economic attack scenarios
|
||
|
|
|
||
|
|
2. **Fraud Proof Implementation**
|
||
|
|
- Merkle proof verification
|
||
|
|
- Fraud proof types
|
||
|
|
- Verification logic
|
||
|
|
|
||
|
|
3. **Access Control**
|
||
|
|
- Admin functions
|
||
|
|
- Authorization mechanisms
|
||
|
|
- Multisig integration
|
||
|
|
|
||
|
|
4. **Rate Limiting**
|
||
|
|
- Cooldown mechanisms
|
||
|
|
- Hourly limits
|
||
|
|
- Spam prevention
|
||
|
|
|
||
|
|
5. **Batch Operations**
|
||
|
|
- Gas efficiency
|
||
|
|
- Error handling
|
||
|
|
- Reentrancy protection
|
||
|
|
|
||
|
|
## Deliverables
|
||
|
|
|
||
|
|
- Comprehensive audit report
|
||
|
|
- Risk assessment
|
||
|
|
- Recommendations
|
||
|
|
- Fix prioritization
|
||
|
|
|
||
|
|
## Timeline
|
||
|
|
|
||
|
|
- **Request Date**: [DATE]
|
||
|
|
- **Proposed Start**: [DATE]
|
||
|
|
- **Expected Completion**: [DATE]
|
||
|
|
- **Remediation Period**: 2-4 weeks
|
||
|
|
|
||
|
|
## Contact
|
||
|
|
|
||
|
|
[Your Contact Information]
|
||
|
|
EOF
|
||
|
|
|
||
|
|
echo "Audit request template created: $REQUEST_TEMPLATE"
|
||
|
|
echo ""
|
||
|
|
|
||
|
|
# Create audit tracking file
|
||
|
|
AUDIT_TRACKING="$AUDIT_DIR/audit-tracking.json"
|
||
|
|
if [ ! -f "$AUDIT_TRACKING" ]; then
|
||
|
|
cat > "$AUDIT_TRACKING" <<EOF
|
||
|
|
{
|
||
|
|
"status": "pending",
|
||
|
|
"firm": null,
|
||
|
|
"requestDate": null,
|
||
|
|
"startDate": null,
|
||
|
|
"expectedCompletion": null,
|
||
|
|
"actualCompletion": null,
|
||
|
|
"cost": null,
|
||
|
|
"findings": {
|
||
|
|
"critical": 0,
|
||
|
|
"high": 0,
|
||
|
|
"medium": 0,
|
||
|
|
"low": 0
|
||
|
|
},
|
||
|
|
"remediation": {
|
||
|
|
"status": "pending",
|
||
|
|
"completedFixes": 0,
|
||
|
|
"totalFixes": 0
|
||
|
|
}
|
||
|
|
}
|
||
|
|
EOF
|
||
|
|
echo "Audit tracking file created: $AUDIT_TRACKING"
|
||
|
|
fi
|
||
|
|
|
||
|
|
echo ""
|
||
|
|
echo "Next Steps:"
|
||
|
|
echo "1. Review audit request template: $REQUEST_TEMPLATE"
|
||
|
|
echo "2. Contact 2-3 audit firms for quotes"
|
||
|
|
echo "3. Compare proposals and select firm"
|
||
|
|
echo "4. Update audit tracking: $AUDIT_TRACKING"
|
||
|
|
echo "5. Schedule audit start date"
|
||
|
|
echo ""
|
||
|
|
echo "Audit package location: $PROJECT_ROOT/contracts/bridge/trustless/"
|
||
|
|
echo "Documentation: $PROJECT_ROOT/docs/bridge/trustless/AUDIT_PREPARATION.md"
|
||
|
|
|