After consulting with the OpenZeppelin audit team, we’ve decided that another audit is warranted, primarily to ensure no integration issues are present and that the process of rolling back an upgrade does not introduce unexpected behavior. We are starting an audit of the Optimism Comet deployment next week so we are planning to conduct an audit of the DSR proposal afterwards, starting Feb 20th.
In the meantime, I’d like to propose the following timeline, based on our recent draft CIP for contribution policies that lays out a process for community feedback and quality assurance. I start by retroactively recognizing steps that have already been taken in this forum thread.
- Idea Review (started Dec. 16th) - The idea was posted in the forum to solicit community feedback and support.
- Developer Review (started Jan. 18th, current stage) - Code to implement the idea was shared with the community to solicit feedback.
-
Community Review (suggested to start by Jan 30th) - This starts once @MakerGrowth finalizes the design of their implementation and shares tests and simulations of the proposal changes with the community.
- In this case, if @MakerGrowth does not intend to change the current proposal design, they just need to provide simulations for community review. To ensure community feedback is received and everything is finalized one week before the audit starts on Feb. 20th, I’d recommend reaching this stage by Jan. 30th.
- External Review (scheduled to start Feb 20th) - This stage consists of receiving an external audit from OpenZeppelin and then addressing any issues that might be raised. A frozen commit of the code should be provided one week prior. We estimated that the audit and fix reviews should be finished by Mar. 10th at the latest.
- Final Review (estimated by Mar. 10th) - The final state of the PR and simulation testing is shared with the community following the audit ahead of the on-chain submission of the proposal and vote.
While this process might seem long, I believe it is a necessary one for ensuring a contribution has incorporated every possible quality assurance check, audits are successful and community feedback has been addressed. The community is always grateful for contributions such as this and so this process is intended to ensure that it has the highest chance of success for adoption.
I’ll also note that this is all a suggestion based on a CIP draft that has not yet been adopted by the community. The timeline in this case is also longer than it might otherwise be due to our current audit backlog. In the future, similar proposals could pass through each stage rather quickly, especially if any necessary audit was already scheduled in advance.
I’m happy to discuss this plan further in this thread or directly with @MakerGrowth over chat or video call. @jbass-oz will also be available to answer general questions about the Contribution CIP in the community call next Wednesday.