Formal Audit by Neodyme

Hey guys, I think we need a formal audit from the most respected group in Solana. I’ve asked them to start on it next week after our v3.3 program upgrade. They say they can do the review in about 2 weeks.

They’ll do a full security audit going through all the logic of the program and give recommendations. They ask for 235k. I think that’s fine, and I’m willing to vote in favor of it given the upside of possibly finding bugs and getting a proper audited sticker on Mango.

Thoughts?

9 Likes

100% agree. An ounce of prevention…

What is their policy on additional audits? If Mango releases 3.4 is it a reduced fee to look at the diff?

I’ll see if they can respond to this. But my thoughts:

I am not sure a review on every upgrade is that important. For example, adding the CancellAllBySide instruction is just a slight modification of CancelAll. We should be able to review it in house and use the tips and tricks Neodyme gives us.

More substantial changes should be reviewed and/or just not done at all until mango v4. But a discount reflecting the easier review process would be much appreciated.

Awesome. Unaware of the market price of proper audits, but 235K sure sounds fair to protect hundreds of millions. The Neodyme sticker like you said will add credibility to the protocol. This seems like a great response to the recent liquidation error, and can see this playing out nicely for the protocol itself, the users, and the perception of the protocol from the public eye.

2 Likes

A formal audit on major releases would be a good direction to head in going forward.

The program is dealing with people’s money and having that sticker should provide some additional confidence for those that may be hesitant to use it.

It’s always good to get reputable people not so close to the code itself to do the review because they won’t necessarily understand how all the moving parts connect and will question if the function and intention of the code is being met and deliberately look for deviations. At the end of the day, even if the audit shows that no major vulnerabilities are present, that’s a win in itself.

In short…
image

Something else that would provide confidence: listing who’s behind Mango.

Right now there’s “Mango is a decentralized autonomous organization.” in the footer, but that’s about it. there’s no “Team” page, no “About”. People look for these pages. Crypto influencers have praised Elrond’s Maiar exchange for being built by the Elrond team, while shunning other DEXes for being built by “random” or “anonymous” developers that “you can’t be sure are credible or trustworthy because they’re not willing to put themselves out there”.

I’m not sure team pages do much to sway the average user toward a product or service. It’s possible I’m in the minority thinking this. The information you’re after for Mango is pretty easy to get with a google or by joining the discord though.

As for confidence in a product or service, I’d happily choose something that’s open source and has been audited over naming names. I don’t consider anonymity to equal a lack of credibility or untrustworthiness as people deserve their privacy if they so choose. Being a DAO also means there is likely far more transparency given about the program than most other setups.

An about page (provided it’s not self aggrandizing) or maybe a “learn more” link after the DAO comment in the footer might be nice for those that are new to DAO’s though.

Well, the first page of Google search results for “mango markets team” doesn’t find anything about the team. The Coindesk article about the funding doesn’t mentioned the team.

Joining the Discord is easy if you have a Discord account. Otherwise, it requires phone number validation, email validation, hoping the invite link still works (there was an outdated one in the docs), accepting the channel rules, then… seeing some nicknames under “ADMIN” with no information about them.

But even if actual information about the team were easy to find somewhere else, would users go through the trouble?

Half the users new to a service abandon a site if it doesn’t load in 3 seconds. Many don’t bother to scroll down - that’s why the “above the fold” concept exists in web design.

I don’t consider anonymity to equal a lack of credibility or untrustworthiness as people deserve their privacy if they so choose.

You don’t, but as a privacy-conscious developer (I’m also one), we might be in the minority here. Other people do take the lack of clarity around the team as a negative signal, as I showed in that video which contrasted the Elrond team (see their page) with the nebulous teams behind other DEXes. The majority of SaaS that deal with user data, but nothing like (tens/hundreds of) thousands of dollars, do have an About or a Team page.

Privacy can be preserved though, while still having a Team page. Team members who want to remain anonymous can use nicknames and avatars (see Phantom), but still list relevant experience in their bio. An About page doesn’t need to list team members, but can talk about the ethos and the story (people love stories), or can list investors and job positions (see dYdX) - something useful since Daffy pinned a tweet about hiring.

Anyway, Mango is a project people entrust with their money. Given the sheer number of sketchy projects and scams in the crypto space, a better question might be,

Would an About or Team page help more than it might hurt? (How could it hurt?)

1 Like

it’s open source, feel free to send a PR GitHub - blockworks-foundation/mango-web: Landing Page for mango.markets

Like that “random” “anonymous” developer called “Satoshi Nakamoto”. And look the release notes for any Bitcoin Core release: So many opaque pseudonyms. Don’t trust Bitcoin! Sell your BTC for what the “crypto influencers” tell you to buy!

Seriously, anyone who makes investment decisions based on so-called “influencers” and Youtube videos will lose their money… and will deserve it.

I trust Mango more because of the precise factor that you criticize. Old-school crypto people will rarely identify themselves. How to tell the difference between that and a fly-by-night scammer: Look at Github activity, read the source code if you can, and watch for factors such as “are they getting a formal audit”? Among other things. The catch is that if you know to do this, then you are not the type to be influenced by “influencers”.

Now, let’s see who delivers. I currently have a chunk of LKMEX heading towards zero, on a centrally controlled clone of Uniswap with almost no coin listings, and many problems that I experienced. If you prefer identifiable developers, do you want to buy my LKMEX? It is transferrable between accounts, so it could be traded OTC.

“The project that delivers” is a more important criterion than “Youtube videos by some random ‘influencer’”. Protip: “Influencers” are 99% ignorant — the blind leading the blind, based on the ability to induce bigger fools to click a “Like” button. Not “credible or trustworthy”.


I am making this post because I am about to make one harshly critical of Solana (it’s not delivering!), and I don’t want that one to be my first.

Def need the audit, no debate imo