Upcoming ICPCoins (Neutrinite) SNS decentralization

SNS DAO SNS Project Governance
10

Our ICPCoins / Neutrinite DAO Security Report:

  1. The DAO, set to launch, utilizes SNS software for governance. This software, developed by Dfinity and overseen by the NNS, is undergoing a rigorous security review. The emerging DAO, Neutrinite, has restricted capabilities. It cannot alter its DAO software unless approved by the NNS. Neutrinite has the option to upgrade to newer versions, but cannot independently change its software.
  2. The SNS software is integral for managing the ledger, neurons, proposals, and voting processes. Neutrinite’s ability to modify these elements is limited, restricted to a few adjustable parameters.
  3. The ledger, which records all token transactions, can’t be changed by Neutrinite. Even with collective agreement, these records cannot be altered or censored, ensuring security for token holders.
  4. The DAO’s scope of parameter adjustments is limited, such as altering the maximum dissolve delay. Beyond these, the DAO is unable to:
    1. Change the proposal mechanism.
    2. Alter neuron functions and operations.
  5. Only custom software related to the dapp, but not the DAO, can be implemented.
  6. We, along with other developers, can suggest updates to the dapps controlled by the DAO. These updates require approval through a voting process by token holders participating in DAO governance. Customizable software includes the ICPcoins dapp and our DeFi statistics aggregator.
  7. Vulnerabilities in the dapp canisters with custom code do not pose a risk to the DAO’s system canister, thanks to the segregation inherent in the ICP protocol.
  8. Neutrinite DAO operates on a Dfinity-created dapp, secured and updated through NNS votes (see NNS dapp). This dapp also functions as a wallet. Neutrinite lacks the authority to modify this dapp, ensuring its governance system’s integrity and preventing censorship or actions that could lead to loss of user funds or data breaches.
  9. The NNS Dapp employs Internet Identity, safeguarded by NNS. It also does not collect personal user data.
  10. The ICPCoins dapp operates without user authentication, maintaining anonymity. We do not collect personal data, so bugs or vulnerabilities will not result in data leaks.
  11. The ICPCoins dapp does not access user funds, ensuring that bugs or vulnerabilities do not lead to financial losses for users.
  12. Data from the ICPCoins dapp is not blindly used by cryptocurrency traders. In case of discrepancies, traders can verify accurate prices at the time of transactions in DEXs, preventing fund loss.
  13. ICPCoins is an open-source project running on the ICP, offering greater transparency than platforms like CMC or DefiLama, which are closed-source and lack public clarity on data handling and price derivation.
  14. The ICPCoins frontend employs a Dfinity-created asset canister, negating the need for an additional security audit on it.
  15. The ICPCoins DeFi aggregator only offers anonymous queries, with limited functions for configuration changes, controlled by the Neutrinite DAO.
  16. The DeFi aggregator uses a temporary oracle for updating non-impactful cosmetic values such as ETH, ICP, BTC circulating supply, and volume, which will eventually be replaced by HTTP outcalls.
  17. It utilizes the Exchange Rate Canister (XRC), governed by NNS, for price feeds of externally traded pairs like ETH/USD, ICP/USD, BTC/USD, ICP/XDR.
  18. ICPCoins DeFi statistics aggregator gathers data from DEXs on the IC, where interfaces are not yet standardized and documentation is sparse. Much of the DEX code is proprietary and closed-source. The statistics we receive are occasionally incorrect. Even with our contract being entirely free of bugs and accurate in all calculations, it’s impossible to ensure the reliability of the data at this juncture, limiting its use to visual representations only. This issue is compounded by the lack of a uniform standard for DEXs to report such data, coupled with frequent modifications to interfaces that lead to disruptions in the data feed. Therefore, conducting a security audit on our data collection methods will not enhance accuracy or provide any additional guarantees at this point.
  19. By sourcing data from multiple DEXs and sources, ICPCoins mitigates the risk of inaccuracies.
  20. We actively propose improvements to other DEXs, especially open-source DAOs, to enhance their data quality.
  21. ICPCoins transparently communicates data accuracy issues to users, as seen in cases like the estimated depth from ICPSwap based on their TVL.
  22. One of our objectives is to enhance the overall security and data precision within the IC DeFi ecosystem. To this end, we have proactively identified and reported several vulnerabilities within the system at no cost. Moving forward, we aim to introduce and advocate for standards and protocols that will enable secure utilization of DEX data for purposes beyond mere visualizations, thereby contributing to a more robust and reliable DeFi environment.
  23. Verifying the accuracy of data in the ecosystem is an arduous task for users if they are only provided with low-level interfaces to canisters, especially when the data is not effectively visualized. However, with ICPCoins, users can easily access, review, and compare the data with other sources. This accessibility allows for the provision of feedback, which in turn, enhances the quality and reliability of the information provided by ICPCoins.
  24. Governance of ICPCoins by the SNS Neutrinite DAO enhances data accuracy:
    1. Data collection is verifiable through open-source code in our repository.
    2. Data modification is subject to DAO approval.
    3. Frontend algorithms for data display are verifiable.
    4. The information provided is uniform for all users.
    5. Frontend updates occur only with DAO consent.
  25. The ICP collected during the decentralization swap is directed into the DAO treasury. Governance of these funds is exercised through the DAO via a democratic voting process.
  26. The NTN held within the DAO treasury is managed by the newly formed DAO.
  27. Neurons held by developers and seed investors will not possess more than 40% of the voting power following the creation of the DAO. Once all airdrops are complete, their voting power will be reduced to a maximum of 34%
  28. The decentralization swap is executed securely through the NNS Dapp and Neutrinite’s launch configuration gets verified and accepted by the NNS.
  29. The NTN Ledger will operate on a public platform, ensuring complete transparency and visibility for all transactions. This decentralized approach eliminates any single point of failure, as the ledger is hosted on a highly secure IC subnet comprising 34 nodes positioned around the world. It adheres to the icrc1, icrc2, and icrc3 protocols, which are the recognized standards for IC fungible tokens.
8 Likes