OpenZeppelin Contracts - Request for Proposals to Audit

OpenZeppelin is requesting proposals for a third-party security audit of OpenZeppelin Contracts. We invite auditors to submit a proposal by June 30th for consideration. We are looking for an experienced team with demonstrated success in professional smart contract auditing.

Background

OpenZeppelin Contracts is a widely used smart contract library, offering Solidity implementations of the major standards along with a system of modular extensions and assorted utilities for smart contract development, with a focus on security, modularity, and extensibility. It is an open-source project maintained by OpenZeppelin, a company that provides an extensive range of security products and services for blockchain applications. While OpenZeppelin has its own auditing team, we are looking for an external audit to further enhance the security of the Contracts library.

OpenZeppelin Contracts has been downloaded 4 million times from npm and it has over 10K stars and over 20K open source dependent repositories on GitHub.

Previous versions of the library have been independently audited. In October 2018, version 2.0.0 was audited by LevelK. The codebase has since evolved with a large number of new contracts and features added, and some of the previously audited code was refactored.

Scope of Audit

The audit should be performed on the git commit corresponding to the latest release at the time the audit begins. At this moment, the latest release is v4.1.0.

The audit is divided in 5 separate scopes, and proposals should provide a separate quote and time estimate for each. The final engagement may consist of all or a subset of these scopes, depending on budget and time constraints.

The file paths below are relative to the contracts directory in the repository. Note that some of these files haven’t been released yet and they are not found in the tag for v4.1.0, so you should refer to the current latest commit.

Scope 1 (New since audit)

  • access/AccessControl.sol
  • proxy/utils/UUPSUpgradeable.sol
  • token/ERC20/extensions/ERC20Votes.sol
  • token/ERC20/extensions/draft-ERC20Permit.sol
  • utils/cryptography/draft-EIP712.sol
  • utils/Address.sol
  • utils/Context.sol
  • utils/StorageSlot.sol
  • utils/Strings.sol

Scope 2 (New since audit)

  • access/AccessControlEnumerable.sol
  • governance/TimelockController.sol
  • metatx/ERC2771Context.sol
  • metatx/MinimalForwarder.sol
  • proxy/Clones.sol
  • proxy/beacon/BeaconProxy.sol
  • proxy/beacon/IBeacon.sol
  • proxy/beacon/UpgradeableBeacon.sol
  • token/ERC1155/ERC1155.sol
  • token/ERC1155/extensions/ERC1155Burnable.sol
  • token/ERC1155/extensions/ERC1155Pausable.sol
  • token/ERC1155/utils/ERC1155Holder.sol
  • token/ERC1155/utils/ERC1155Receiver.sol
  • token/ERC20/extensions/ERC20Snapshot.sol
  • token/ERC20/extensions/ERC20FlashMint.sol
  • token/ERC721/extensions/ERC721URIStorage.sol
  • token/ERC777/ERC777.sol
  • utils/Create2.sol
  • utils/Multicall.sol
  • utils/cryptography/SignatureChecker.sol
  • utils/introspection/ERC1820Implementer.sol
  • utils/structs/EnumerableMap.sol
  • utils/structs/EnumerableSet.sol

Scope 3 (Significantly changed since audit)

  • proxy/ERC1967/ERC1967Proxy.sol
  • proxy/ERC1967/ERC1967Upgrade.sol
  • proxy/Proxy.sol
  • proxy/transparent/ProxyAdmin.sol
  • proxy/transparent/TransparentUpgradeableProxy.sol
  • security/ReentrancyGuard.sol
  • token/ERC20/ERC20.sol
  • token/ERC20/extensions/ERC20Burnable.sol
  • token/ERC20/utils/SafeERC20.sol
  • token/ERC721/ERC721.sol
  • token/ERC721/extensions/ERC721Enumerable.sol
  • utils/Counters.sol
  • utils/cryptography/ECDSA.sol
  • utils/introspection/ERC165.sol
  • utils/introspection/ERC165Checker.sol
  • utils/introspection/ERC165Storage.sol

Scope 4 (Small changes since audit)

  • access/Ownable.sol
  • proxy/utils/Initializable.sol
  • security/Pausable.sol
  • token/ERC20/extensions/ERC20Capped.sol
  • token/ERC20/extensions/ERC20Pausable.sol
  • token/ERC20/utils/TokenTimelock.sol
  • token/ERC721/extensions/ERC721Burnable.sol
  • token/ERC721/extensions/ERC721Pausable.sol
  • utils/math/Math.sol

Scope 5 (Transpiler Specification)

A sibling library called OpenZeppelin Upgradeable Contracts is a variant of the codebase that is automatically transformed so as to be usable with upgradeable proxy deploments. This transformation is mechanical and automated by a purpose-built Upgradeability Transpiler.

In Scope 5, we request a review of an informal specification of the syntatic transformations implemented in the Upgradeability Transpiler. The review should assess whether the transformations preserve the security of the original code, and protect against upgradeability hazards. This specification is still being written, and a preliminary version can be seen here.

Note on Extensibility

It should be taken into consideration that the audited contracts will be used as modules, combining them through inheritance with other Solidity code, and possibly overriding internal functions of the library. A small set of internal functions are by design meant to be overriden (a list will be provided later). For functions outside of this set, some care is taken so that overriding them does not cause significant soundness issues, but users are warned that they should do this at their own risk.

Proposal Content

Proposals should include at least all of the following items, which will be taken into consideration to determine which proposal is selected.

  1. Timeline. Proposed start date of the audit and estimated duration for each of the separate scopes. Allocated time to review changes made in response to the reported findings.
  2. Approach. An overview of how the audit will be approached, describing tools and techniques used (including manual review and/or automated analysis). Expected communication with the developers of the project. Format of deliverables with examples from prior audits.
  3. Prior Experience. Please share your team’s work history auditing Ethereum smart contact systems with past audits and references that can be contacted upon request.
  4. Fees. Specified separately for each of the scopes. The fees should be fixed-scope.

Send your proposal to rfp@openzeppelin.com. The deadline for submission is June 30th, 2021.

3 Likes