Secret Ledger App Audit

Hey everyone,

We have a plan to enhance our Secret Ledger App and ensure it’s secure and robust for all users. This involves an app update and an audit by one of Ledger’s external auditors (see here: Getting started - Ledger Developer Portal).

The Plan in Brief:

1. Update Details:

• We aim to add Ledger Stax support to our Secret Ledger App.
• For the tech-savvy among you, check the GitHub PR .

2. Audit Essentials:

• A specialized audit firm Kudelski IoT will review the app for a fee of 5025 Euros to ensure it’s safe and dependable.

3. Developer’s Fee:

• The update work that I’ve done and will have to do costs around 1600$ which accounts for 20 hours of development work, priced at 80$/hour.

4. Total cost:
   Total ask is: 5025 Euros + 1600 $. These numbers are not including the 5% volatility buffer, but the final ask including a currency conversion into USD will include it.

Advantages of the Update:

The update adds Ledger Stax support, updates the app to the latest audited upstream as well as some smaller UX improvements.

Funding and Utilization:

We’re seeking financial support for the audit and the development. This could potentially be sourced from community funds or a grant from SCRT Labs.

Timeline of Activities:

• Completion of Update: Already, done see the Github PR above. Ledger has also completed the functional review of the update, see here: (https://airtable.com/appIHCUneslDfKjXu/shrqrpH9y9VRorS4J/tblw7wsOQj5Fb2UzA/viwtozCLZv7cRYFCi/recumVDMtkuIOBcu1)
• Audit Duration: Scheduled immediately post-update and subject to audit firm timelines.
• Launch: The updated app will be released after ensuring all audit feedback is implemented and Ledger pushes the update.

Communication and Updates:

We pledge to maintain transparency and keep the community informed at every stage of the process, sharing regular updates on development, audit results, and eventual implementation.

Seeking Your Approval:

We look forward to the community pools or SCRT Labs endorsement to allocate the necessary funds, facilitating the seamless and secure enhancement of the Secret Ledger App.

Question @SecretSaturn is this relevant for the Ledger Live support as well? And would we be natively be able to add SNIP assets on the ledger app (SILK, SHD)?

This is clearly needed if we care about ledger live support (we do…). Thank you, Saturn.

Thanks for all the work you did on this already @SecretSaturn, will vote Yes if it goes to commpool.

Will there be a blind signing feature?

Not in this update, sorry.

An update to the proposal:

It seems like this proposal will go to the community pool.

Because I’ve been appointed as Dev Rel at the Secret Network Foundation (see here: Please welcome the newest member to the Secret Network Foundation: Alex | Secret Saturn), the proposed ask of 1.600$ for development costs of the update is not appropriate and will not be included anymore.

The total ask therefore reduces to just the pure audit costs of 5025 Euros, which I will get a formalized quote for.

Another update:

After some more talks, Kudelski IOT is willing to be paid in USDC via their Coinbase account.

I’ll put the proposal up for the funding very soon.

Any left over funds will be returned to the community pool as soon as I can do that.

Potential best path:

1. Sell for USDC.axl on Shade
2. IBC to osmosis
3. 1:1 unwrap for Noble usdc
4. CCTP noble usdc to polygon
5. Polygon to coinbase

Goodluck!

We can finally move forward to putting the proposal on chain.

The final ask from Kudelski IOT is USDC 4,730

Thanks to the community for the successful passing of this proposal.

After successful conversion, only 12510 SCRT needed to be swapped to USDC (+ some extra
≈ 150$ overhead for gas fees etc., all excess will be paid back ofc).

The swaps are: Mintscan (test swap) and Mintscan

The addresses of the funds are:
secret1sww78qu27kaclhsnm65y94wrcagmj7mjhzp6fy and osmo1sww78qu27kaclhsnm65y94wrcagmj7mjauxrz2

The final invoice will be sent together with the initial detailed technical evaluation report. After the payment to Kudelski IOT is done any excess funds will be returned back to the community pool.

Best,

Alex | SNF | Secret Saturn

An update on the auto:
The audit has kicked off, we should hopefully see the final report in about 2 weeks.

After the audit successfully passed in Dec 2023, Ledger did some extra due diligence and took some more time before pushing the update to production yesterday.

The PR can be found here: Merge develop into main - release 2.34.3 by tdejoigny-ledger · Pull Request #13 · LedgerHQ/app-secret · GitHub

The money was paid to Kudelski IOT here: Ethereum Transaction Hash (Txhash) Details | Etherscan. Any excess funds were sent back to the community pool (around 1,6k SCRT) in this TX Mintscan

Best,
Alex | Secret Saturn

Seems as though Ledger Stax is not actually supported…

I asked Ledger about this and I got this answer from them:

“Hey
It’s still the same issue ⁠[remark: he pointed to the fix in Secret Ledger App Fix]
But it should be available for Stax in the store if the Feature Flag [remark: see the forum link above] is enabled. However, you need to push an update for the app to be compatible with Flex.”

Did that help ?

Worked. It should probably be added to the docs and cosmos app should be recommended given the situation. Who knows if it’ll ever get a real fix or if the work around will stay long term.