ERC-7512: Onchain Audit Representation

rube-de · September 25, 2023, 9:38am

Shouldn’t this support also erc-1271? As audit company it would make sense to have a smart account, instead of an EOA.

rmeissner · September 25, 2023, 9:40am

This is considered and mentioned in the ERC under “SignatureTypes” (see here)

eawosika · December 15, 2023, 10:17pm

I recently wrote a deep dive on ERC-7512 for anyone interested in a comprehensive overview of the cases for and against the proposal (thanks to everyone who contributed to the discussion thread–found many of the insights useful during my research): A Guide To ERC-7512: On-Chain Representation For Security Audits

RexShinka · February 14, 2024, 2:55pm

Another possible initial step, rather than doing audits (which are complex) do DeFiSafety protocol reviews. These are fixed format, have a pass/fail and are designed for reading by the general public. This could be implemented quickly with audits brought in later. An example report is at : Liquity - detailed report | DeFiSafety

elliot · February 26, 2024, 6:13am

While we’re here, it seems like we might as well provide the bytecode hash as part of the onchain representation so that users of these systems can verify that the deployed code matches the code that was audited.

This could be represented as an array of structs containing the address of the contract and its corresponding bytecode hash.

eawosika · April 1, 2024, 4:24am

Ethereum 2077’s analysis of ERC-7512 suggested extending ERC-7512 to aggregating information about other security measures (e.g., bug bounties and formal verification) vs. providing only audit data to investors doing due diligence on protocols.

The article even mentions DeFi Safety’s protocol reviews as an example of how this idea can be implemented, with the caveat that the product has switched to a subscription model vs. as being publicly accessible (which was the case circa 2022 IIRC). Here’s the relevant quote from the article’s conclusion:

ERC-7512 moves us a step closer to building trust in on-chain applications and may inspire more efforts to standardize other aspects of the security review process. For instance, given projects now increasingly adopt a “defense-in-depth” approach to protocol security—bug bounties, formal verification, audit contests, incident monitoring, and more—a system that aggregates (verifiable) information about a project’s various security measures in the same location (as opposed to this information being fragmented across multiple websites and dashboards) would do wonders for investors, users, business development (BD) teams conducting due diligence for DeFi protocols. (DeFi Safety used to have a similar service but recently switched to a revenue model.).