#4 [💔 declined] DAO proposal: Solidified Audit Marketplace


Solidified is a community based smart contract security project, helping Ethereum users gain wide access to the proper security tools and competent audit experts for a reasonable price.

We have built a bug bounty platform (web.solidified.io) that has been used by Gnosis, Melonport, Polymath, Kleros and other major clients. On this platform users can post their smart contracts for review with a large community of security auditors (we have gathered over 200 pre-vetted experts since 2017). The platform is specific to smart contract peer-review and itself runs on Ethereum blockchain. It allows users to fund their bounties (setting the values for each bug severity), respond to bug reports, get notifications about progress and also has a simple arbitration built-in. The platform has been running on Rinkeby for several months and we are actively working to move it to the mainnet (just performed a 2nd audit of the platform).

We also have been running community audits since 2017 where a group of three community members are selected (based on their background experience and relevance to the project) and a peer-review audit process is performed, with a consensus report produced. All audit reports are publicly available here: https://github.com/solidified-platform/audits.
Clients include: Argent, Bankera, Gnosis, Melonport, Nexus Mutual, Polymath, Wyvern and 60 others.

Grant Proposal

We are seeking a grant of 25,000 USD to fund the development of an audit marketplace that will replace our manual process of running community audits and utilize our already created bug bounty platform for the UI/UX and backend blockchain operations. Our vision for this product is an automatic unstoppable marketplace for both security professionals and clients, where Ethereum developers or enthusiasts can post their smart contracts for review with reputable security experts. We expect that this marketplace will lower the barrier of entry for aspiring security professionals and also the cost of security engagements for the whole community.

We will then become simply a participant in this market, like any other security specialist.

We plan on integrating one of the open-source tools like Mythril or Slither into the first-stage of our audit marketplace, to automatically find low-hanging bugs before the audit begins. We believe that while tools cannot alone be relied upon in an audit, they serve as a useful pre-check to help auditors concentrate on the non-trivial issues.

By combining the human audits with bug bounties and further empowering them with automated verification tools, we are creating a multi-stage approach to auditing that is much more effective at catching bugs than the current methods.

All stakeholders should benefit from this dapp. Developers and companies building on top of Ethereum can use it to seek for specialist advice for fair market set prices. Security specialists will have a source of work. The wider security community can benefit from information and bugs to improve their skills and discuss new found vulnerabilities. The wider Ethereum community benefits from safer smart contracts, and a place to check if the dapp they intend to use was scrutinized and tested by competent auditors.

How the funding will be used

The grant will be used to cover the engineering costs of developing the audit marketplace. We already have the best talent working together on this platform (one of the winners of Solidity underhanded contest and several top security auditors in the space). We’ve been working together as a team for almost two years.

Progress so far

The bug bounty platform has been online for over a year now at web.solidified.io, already used by Gnosis, Melonport, Wyvern, Kleros and over 50 other companies. In it anyone can upload their smart contracts and fund bounties, the code is made available to the whole community, and bounties are automatically paid. Although the bug bounty platform is in beta, the bug bounties listed there are real, and we are currently coordinating mainnet ETH payments after the the automated payments are made in the Rinkeby testnet ETH. We are on the final stages of developing the mainnet version of the smart contracts, that will work in a fully permissionless and decentralized manner, requiring no signup/login or identity. The frontend is being reduced to become a presentation layer, while also supporting some functions not feasible to be made on chain right now (such as storing source code files).

We will reuse the design and components of the bug bounty platform for the marketplace and by doing so we expect to reduce the amount of work needed.

We have also been performing the manual audit process in ways we think will fit well within a decentralized context. For each audit, three experts are selected, quote their prices and work independently. In the group debrief meeting, all reports are then opened and consensus-merged into a final audit report. By requiring the auditors to work independently we create a healthy competition that pushes each expert to deliver their best work while keeping the process unbiased.

We have the high level design of the process already done. Once a request for audit is posted in the marketplace (along with the value the client is willing to pay and specification, we will assist him into setting an effective price by using the smart contract complexity analyser already developed for the bug bounty platform). Experts will bid their way into the audit. The client will then select the auditors based on price, in-system reputation and also previous work (we will allow companies/experts to identify themselves so they can leverage their reputation, while also making it easier for clients to make a decision).

Security auditors will receive the fees from the client upon delivery of the report. Their bids and corresponding stakes are locked in through the duration of the audit, and will be used later on to fund a bug bounty right after the audit ends, for a predefined period of time. This bug bounty will leverage the community to verify the audit quality, and should work well for new entrants in the market to gather reputation that enables them to apply for audits. We believe that by doing it this way we incentivise the experts to perform their best work, while at the same time holding them accountable for work performed poorly.

Once the bug bounty is over, auditors’ stakes are returned (proportionally if bugs were found/payed out).

The process will remain available publicly for security professionals to study issues/bugs, and for users to check if the dapp has been sufficiently scrutinized.


  • Month 1: Have the marketplace smart contracts ready for community review and bug bounty. Work on the frontend runs in parallel.
  • Month 2: Have the first beta version of the dapp working on a testnet. Smart contracts’ bug bounty is still active. We invite our clients that need an audit to use the tool and provide feedback, while tweaking the process incrementally as needed. The community will also be invited to test it at this time.
  • Month 3: Wrap up the bug bounty, finalize fixes resulting from it. Open up the marketplace on a testnet for both users and auditors. While the marketplace should be ready for use, we feel the wise thing to do is to let it run on a testnet (while processing payments manually) for at least 3~4 months, before pushing it to the mainnet.

Relevant links

1 Like

Hey @fabiohild thanks for your proposal and for writing this up.

The MetaCartel DAO aims to fund experimentation with UX, usability and new usecases. Imo, Solidified does not advance and further these main focuses. The DAO is really focused on funding and supporting end user facing applications. Perhaps, the EF is a better source of funding for this project.

I will bring it up in tomorrow’s DAO meetings call - but personally wouldn’t expect too different of a response. Thanks.

Hello @pet3rpan, thanks for the feedback.

Wish I had seen the guidelines you posted yesterday before submitting the proposal (not ranting here, we know the process is just beginning to get defined). A link to it should be included along with the form for the initial proposal submission. We also didn’t catch the ultimate goal of the program in the call we had a couple of weeks ago, and requested a value that will not work right now (we didn’t discuss the value on the call, or anytime before as far as I remember).

We haven’t mentioned UX it much in our proposal, but we have a strong focus on UX, with a complex UX already in place for funding bug bounties, notifications, live chat, dynamic bounty sizes (suggested by an automated smart contract complexity analyzer). These are already up and running at web.solidified.io. This is an (year old) article form our designer Rob Stone on the challenges and takeaways from designing an UX that keep users engaged while waiting for Txs to be processed: https://medium.com/solidified/hiding-blockchains-slow-ui-4229aa9a1a66

The vision for the new bug bounty platform, and then the audit marketplace, is building a frontend that does not need an Ethereum compatible browser to run, will allow for anonymous use, and we are also building a creative way to support notifications (users will be able to opt-in, by sharing their email, we will encourage specialists to do so), publishing reports/source code files on IPFS (or maybe Swarm). Although end users are not the primary actors in the dapp we do see them as stakeholders, first by enabling users to check if smart contracts they will use went through an audit/bug bounty, but most importantly they benefit from a safer overall environment.

We did speak with the foundation, but they are currently focusing on the protocol layer (ETH 1.x and 2.0).

Let me know if the call is open for guests, We can join and answer any inquiries as they come up during the call. Happy to review the proposal based on your feedback too, looking forward to the outcome of the discussion to take place today.


We had a brief discussion in our last DAO members meeting and did not find that Solidified would be in the scope of this DAO. Apologies and thank you for reaching out to us regardless.

Best wishes,

Hey @pet3rpan, no worries, thanks for the feedback and for your time!

1 Like