A few words about the TACO DAO audit and audits in general.
First, I’m biased because I do them and get paid for them, but I think that if you are doing a motoko project you should REALLY consider doing an audit. If you can’t afford an audit(they can be expensive because the auditor is putting a bit of personal risk on the table with each audit) at least reach out and ask for a review. Those can be much simpler, cheaper, and often completed in a day or two.
Second, here is the audit. It is currently in a pull request but I expect it will get pulled in soon enough.
The TACO DAO team reached out to me late last year about doing an audit for their upcoming SNS. I love doing audits because they are an opportunity to learn and an opportunity to view the world through someone else’s eyes.
In this case, it was really a cool experience. The first bit of code I was given was…well…let’s…see…it was AMBITIOUS. @tirex delivered it and you could tell he had thrown his whole self into the problem at hand and had just absolutely tackled it.
Like tackling anything, it can be a messy affair with broken bones, grass stains, and a bunch of stuff lying around on the floor. The code wasn’t wrong it was just all over the place and full of enthusiasm. So I went back with some extensive comments and then I got a few questions and then things went quiet for a bit. Then this year I got a second batch of code and a bit of a revamped strategy and the amount of growth, clean-up, and general professionalism in the second batch was extraordinary to see.
I not only saw @tirex’s viewpoint I also got to see his growth as a motoko programmer. I hope he won’t mind me telling the story because it is meant to inspire. Motoko is a cool language and one can get dangerous with it quickly and can get good at it with just a bit of hard work and determination.
Particularly, @tirex tackled the spam and ingress problem with much more attention to detail and determination than I’ve seen anyone else attempt. We’ve been a bit (un)lucky on the IC with nothing really getting ‘big’ enough for someone to really try to ddos it. I don’t think there is a “perfect” way to handle this problem at this point but the one that TACO DAO has put in place is one that I’d advise most motoko projects look at and learn from. If your service gets popular enough and has enough value, someone is going to come at you and try a cycle drain attack. Having a mitigation strategy is super important.
@tirex and I had a few conversations about some of the potential issues I found and I think both he and I learned some things.
Thanks to the TACO DAO team for entrusting me with this important task and good luck with your DAO when you launch!