As a new dapp, one of the biggest challenges for poidh is establishing a reputation for security with users. Everyone in crypto understands that hacks and scams are a constant challenge. Users rarely trust smart contracts with funds if they are not well-known or battle-tested.
At only three months old with <100 users all-time, we have to do whatever we can to be transparent and honest regarding the security status of poidh.
The most critical information for users to know is that we have not performed a formal audit. In its current state poidh is a bootstrapped project and we do not have the capital to complete a comprehensive audit. Until we complete an audit, users should be aware that their funds could be at risk when depositing ETH or interacting with the contract.
With that being said, we would like to take this blog to outline the steps we have taken to address security concerns for users willing to accept the risk inherent in interacting with a new crypto project. We will also outline our plans for improvement in poidh's overall security. Have suggestions on how we can improve even more? You can find our contact info at the end of the article.
the poidh contract
The most critical aspect of a dapp's security is the quality of its underlying smart contracts. All poidh functions operate within a single smart contract deployed on Arbitrum.
Whether you're creating a bounty, minting an NFT to submit a claim for a bounty, or confirming a claim submission, you interact with the same poidh smart contract (watch this to see the entire poidh lifecycle).
This smart contract was coded from the ground up by poidh co-founder, J. J has 5 years of experience in the crypto industry working across DeFi protocols, NFT projects, and DAOs. Cumulatively, these projects have over $2M in TVL or fundraising. His coding has resulted in 0 critical vulnerabilities through 50+ contracts. You can check this work for yourself via his GitHub profile.
In addition to J's background, we also purposefully designed poidh around a simple set of rules. The contract reduces complexity as much as possible with bounties solely controlled by the original creator (we have no control over user funds).
Other users can submit claims, but it is up to the bounty creator and the bounty creator alone to approve the exchange of bounty funds for a specific claim NFT. They also hold sole permission to withdraw funds from unfulfilled bounties. Transferring bounty ownership is not possible. The contract is also not upgradable, so we have no ability to change the rules that users see today.
Based on J's background and the relative simplicity of the poidh contract, we feel confident that users will judge poidh to be lower risk than most DeFi or NFT contracts they interact with. Numerous developers within our shared personal networks have also reviewed the contract and concluded it is low risk.
audit wizard results
Recently we consulted with the team of security experts at Audit Wizard and they walked us through their new tool for performing a security self-review. While this tool is not a replacement for a professional audit, it is another check that has revealed no obvious, critical vulnerabilities in our contract.
Below are the results for a scan of the poidh contract:
Within the app, anyone can use the automated Audit Wizard scanner tool, Slither, to reproduce this report and analyze the findings.
Regarding the findings, we have reviewed them and have this to report:
The scan identified medium-level vulnerabilities from OpenZeppelin code used within the contract. We do not have to worry about these primitives as they have already been audited (all medium vulnerabilities).
The lower-level vulnerability notifications offer quality suggestions. For example, zero-checking the address in the treasury for the constructor is a quality suggestion. We will consider these lower-level issues for planned future iterations of the poidh contract, but they do not currently represent a significant risk.
We cannot recommend the Audit Wizard team enough and thank them for developing a powerful free tool to help small projects such as ourselves double-check security assumptions. Consider following them on X to stay up-to-date as they continue to upgrade the app's feature set.
Note for anyone that would like to try Audit Wizard, we have two bounties open for users to demo the app and post their review on social media. Check them out here and here.
an open source app
We launched poidh as an open source app to maximize transparency. The GitHub repo is public and users are free to analyze as they see fit.
J and I believe in the fundamental philosophies behind open source development and want to promote open collaboration. We view poidh as a building block for putting crypto to work incentivizing real-world action and community improvements. Building a tool anyone can learn from and use freely is essential to achieving this goal.
technical infrastructure
The app's stack is relatively simple with all code being hosted via GitHub and deployed via Vercel. We coded in React, TypeScript, and Solidity. Google Cloud Protocol handles backend image uploading to Pinata for IPFS pinning. IPFS lets us ensure that we store poidh NFTs in a truly decentralized manner.
Login security is of paramount importance to us. We use 2FA on all accounts connected to the project and we never use SMS 2FA.
moving forward
While we will eventually deploy a V2 of the contract that addresses the low-level security concerns discussed earlier, we do not currently have a timeline for launch. As soon as we set a timeline, it will be shared via our social channels.
We've also started gathering community reviews of poidh as a way of building social trust. Fren Reviews is our review aggregator of choice and you can read all reviews here:
If you have any further questions or concerns regarding the security of the poidh app, please contact us on Discord, via X @poidhxyz, or email at poidhxyz@gmail.com. We also highly appreciate any feedback on how we can improve our current security plan. Please do not hesitate to reach out!
