Catalyst Proposal Completed! Milkomeda ADA Audit
Here we want to highlight a funded Milkomeda proposal for Project Catalyst that we have recently completed. The proposal was entered into the Miscellaneous Challenge in Fund 7.
This proposal was called Milkomeda ADA Audit and here we’re going to run through exactly what was in the proposal, what work was completed as a result of funding, and, most significantly, why the completion of this proposal is important to the Cardano ecosystem.
What Was in the Proposal?
The proposal’s problem statement was:
Milkomeda consists of multiple novel un-audited concepts introduced to Cardano written in Rust including multiple open source components.
The solution that we proposed was to:
Audit all components of Milkomeda that are required for the Cardano deployment
This proposal specified that the audit would cover all of the components for Milkomeda that would be open-sourced to the community and re-usable by other projects, including: our construct for leveraging Milkomeda for Cardano multisigs and our dApp rollback handler. The core research and development for both of these projects was funded by previous Catalyst proposals, found here and here. The costs of auditing of any closed-source components and components not strictly related to Cardano would be covered by us.
In the proposal it was stated that we would release these audit reports to the community once we had fixed any issues that arose from them.
What Work Has Been Completed?
As a result of receiving this funding two audits were completed, by well known companies in the blockchain audit space, of the components that will be open-sourced. These audits were completed by Certik and Arbitrary Execution. These reports can be found at the bottom of the milkomeda.com page and are also linked here:
These Audits were conducted in February, with the Arbitrary Execution audit released in March and the Certik audit released in May. All issues raised in both reports have been addressed and revisions to the code have been implemented where applicable.
A Quick Summary of the Audits
The Certik report raised one major issue that is, in fact, a functional element of the contract. The point of failure they raised as an issue was in a multisig contract that is controlled by achieving a quorum of validators and it can only be activated by achieving this quorum. All other issues, 1 minor and 9 informational, were either acknowledged or resolved.
The Arbitrary Execution audit raised 3 medium severity issues, 5 low severity issues, and 9 notes. All the issues and notes raised have either been fixed or acknowledged.
What Happens Next?
Since these audits have been completed we have added more features to the smart contracts to increase their security. One security feature we’ve added is a timeout on the voting time for adding validators to the list of approved validators so that a validators application doesn’t extend indefinitely.
As a result of these security additions we are undertaking another smart contract audit, through Arbitrary Execution and funded by us, to further verify the code and to ensure that it can be released to the community in the most trustworthy state possible.
This audit is currently underway and, pending no major issues, we expect to be able to open-source these components by the end of August, once we have finished fixing any issues raised by the audit and onboarding the first set of new validators from the past selection back in April.
Why is The Completion of This Proposal Important to the Ecosystem?
The R&D for many of the components used in the Milkomeda sidechain were funded, in a large part by the voters of Project Catalyst. These reports were also funded by Project Catalyst and they are, therefore, your reports. Milkomeda is your blockchain and, importantly, these reports verify it as a non-dangerous place to transfer tokens.
The growth of Milkomeda, Cardano’s first EVM sidechain, is steadily progressing (thanks, again, to Project Catalyst) through both the Milkomeda Hackathon and the Milkomeda Accelerator Program. Milkomeda has opened up the Cardano ecosystem to a wider array of developers who write smart contracts in the world’s most popular smart contracting language, Solidity. These audits have provided a level of certainty for both builders and users of this sidechain, showing that many basic, known, and popular attack vectors cannot be used by malicious actors.
The open-source release of these components in just a few weeks time will open up a lot of opportunities to the community. Developers will be able use these components to create their own decentralized bridges to any EVM compatible chain, and Cardano dApp developers will be able to use the rollback handler to implement a better user experience when rollback situations occur.
Perhaps most importantly, users will be able to become a validator on the Milkomeda sidechain, through a vote by other validators. The addition of more validators to the sidechain increases the decentralization, and therefore the security, of the C1 sidechain. Any existing validator can submit a request for other validators to join the network and then the voting process commences; with the new timeout feature that was mentioned earlier. This voting process is not zero knowledge and, therefore, everyone can see who voted for which outcome; those being whether to accept or reject a new validator’s application. Providing important accountability for validators on the network to the users of the network.
To Summarize
The overall goal of this proposal, to increase user and developer confidence in the Milkomeda C1 sidechain and the soon to be open-sourced components, has been achieved. We are ecstatic to announce this to the community! The sidechain that you funded through the world’s most decentralized funding mechanism has now been verified by two audits which you also funded.
A third and final audit, funded by us, is going to ensure that the existing code, and the newly added security features, have been tested against multiple basic and known attack vectors, giving all users the important confidence that Milkomeda is a non-dangerous place to transfer tokens.
