Progress of development from the second quarter of 2018 and first round of audit results

Release of the Survey app on the Ethereum Mainnet was a major milestone that was reached during the second quarter of the year.

Today we are releasing an entirely new step for community members to signal their sentiment on the project and igniting the next level of participation in the project for all ANT holders.

Survey is the first Aragon app launched on the #Ethereum #mainnet!https://t.co/30PS8YDWfb

— Aragon (@AragonProject) May 31, 2018

First round of audits completed —here are the results

With aragonOS 3.0 alpha, we announced that audit of our codebase with the White Hat Group had started. We were very happy with the results, and today we are publishing the report of that audit!

Executive summary of the code review:

In February, Aragon asked us to do a code review for the aragonOS framework as well as the Finance, Vault, Voting and Token Manager applications. We were very impressed with the quality of the code. It is without question one of the most advanced smart contract systems in the space and makes extensive use of many new functionalities within Solidity and at the EVM level. Especially notable is the secure way to deploy a core controller that adds upgradability, the access control pattern (ACL) and its flexible execution engines.

We spent 3 weeks in March reviewing the code and found 1 critical issue, 3 high severity issues, 4 medium severity issues and 27 low severity issues. We also made 39 comments to the code about things that could be improved or at least things that we believe require a clarification or a deeper look. The critical issue, if exploited, could stop all Aragon DApps deployed if it was not corrected.

After our deep dive into the code, we discussed the issues with the Aragon team and they worked to fix all the issues throughout April. We reviewed these fixes and can say that the Aragon team has corrected all of the important security issues that we found.

The biggest worry we have with this framework is the possible misunderstanding of this framework by the developers that decide to use it to deploy their DApps. We strongly recommend that all Aragon DApp developers, especially those that are early pioneers, review the code, try to understand how it works, and do not treat it as a black box. We recommend that the Aragon core team and community contributors make a special effort to add useful clarifications in the code. Better documentation will greatly contribute to the high level of security that this framework is designed to provide.

From the architectural perspective, we believe that this code base is an incredibly well designed first iteration. However, after the first set of DApps are developed on top of this framework, it is likely that more improvements and refactors will need to be done to accommodate the desired usage of the DApp developers.

Find the full audit report here

Among the big news for developers was the release of the Aragon Developer Portal. It helped meet some comments from the audit regarding documentation and introduced our new command line tool for building Aragon apps, a straightforward tutorial, and reference documentation for all the building blocks of Aragons complete stack to run decentralized organizations.

You can create Aragon apps that interact with each other to bring delightful experiences to life and strengthen how people organize. Instead of reinventing the wheel, Aragon embraces the open source philosophy, by being a light horizontal layer that you can build upon, and by making all Aragon apps interoperable with each other.

The Aragon Developer Portal is ready for prime time!
Featuring our new command line tool for building Aragon apps, a straightforward tutorial, and reference documentation for all the building blocks.

Come #buidl the decentralized future with us!https://t.co/KTNDH6MOYU

— Aragon (@AragonProject) 21. toukokuuta 2018

In Q2 we also started to document all our deployments and the governance over different repos in our Aragon Package Manager registry. This gives total transparency over who can deploy new code and also a full audit trail of the changes that were pushed, which can be reproduced locally in order to verify their integrity. The next step on this front is to have these reports be automatically generated and with better visualization of the information.

The release of the Survey app commemorated the release of v0.5.1 Beta after the Aragon Core v0.5 — ”The Architect” release.

After that, we also pushed out v0.5.2 Beta during Q1 2018.

The Aragon One team Product Manager Chris Remus wrote a summary of our first new development cycle in a blog post titled Aragon Core v0.5.1 Post Mortem — Part 1

What was released with Aragon Core v0.5.1 & v0.5.2 Betas

aragon/aragon

Aragon dapp to create and manage decentralized organizations on Ethereum

General

• Initial Mainnet DAO and app support; limited to only a few organizations with a Survey app installed
• Set the default ETH node on mainnet to Infura
• Polished and optimized the onboarding's rendering, making it smoother
• Revamped the Settings app to always be loadable even if the user's DAO has not been fully loaded yet
• Added the ability to change various configuration settings (e.g. the IPFS and Eth node the app is connected to), both in the Settings app and when running the app locally via the CLI
• Added support for apps with multiple instances
• Added support for non-checksummed addresses in the URL for the DAO and app proxy addresses
• Fixed a few rendering issues with the app menu panel
• Updated aragon.js server dependency to 2.0.0-beta.38 (see notes on aragon.js for further details)
• Set the default ETH node on mainnet to Infura
• Polished and optimized the onboarding's rendering, making it smoother
• Revamped the Settings app to always be loadable even if the user's DAO has not been fully loaded yet

Survey

• Launched the Survey app; Aragon's specific instance with ANT is located at survey.aragon.org.
• Math issues causing no transaction to be generated when attempting to vote with a large amount of tokens (> 1000)
• History chart's transition being run multiple times for certain screen sizes
• 0% and 100% votes being cut off in the history chart
• Layout of the votes casted panel in the detailed view when a vote's description caused a line break

aragon/aragonOS v3.1.3 to v3.1.9

Solidity framework for governance

• Numerous changes based on the WHG's audit findings.
• Breaking change: Proxies now conform to the ERC897 standard.
• Hardcode keccak constants to save gas
• Support removing docker deploy image for beta templates in apps
• Restart ganache every test
• Upgrade ganache to always be at least 6.1.0
• Remove fallback from AppProxyPinned in favor of using base's fallback
• Minor packing improvements
• Clean up warnings
• Updates some pragma versions
• Vault recoverable
• Add URL to package.json
• Emit appId in NewAppProxy event
• Update truffle-privatekey-provider
• Fix incorrect role hashes in APM
• Fix dependencies list so that users of @aragon/OS's truffle config get the correct packages used.
• Fix overloads of Kernel.newAppInstance() and Kernel.newPinnedAppInstance() not returning the created Proxy.
• Exposes APMNameHash so that users don't have to re-implement apmNamehash() themselves.

aragon/aragon.js

Easily interact with your dapp's state

• Support for the new proxy contract interface from aragonOS 3.1
• web3.eth RPC channel, to allow apps access to a whitelisted set of web3.js's web3.eth functionality
• Support for non-checksummed addresses for the DAO and app proxy addresses
• Removed Delegate script encoders to mirror their removal from aragonOS following WHG audit
• Optimized event fetching by only asking for events starting from the block the DAO was created in, rather than the genesis block
• Added new API documentation
• Fixed timeout queries to IPFS after 10 seconds and gracefully handle this error

aragon/aragon-dev-cli v4.0.4 to v4.1.4

CLI for creating and publishing Aragon apps

• Handle missing versions from provider on aragon apm versions command.
• Fix ethereumjs-wallet dependency update issue ethereumjs/ethereumjs-wallet#64

aragon/aragon-ui v0.12.0 to v0.14.0

Create a beautiful UI for your dapp

• Remove website components. The components that were used on the websites only have been moved to a dedicated toolkit: @aragon/web. (#153)
• Update peer dependencies to react / react-dom ^16.3.2 and styled-components ^3.2.6 (remember to update your dependencies if needed!) (#157)
• New component: Slider. (#171)
• New component: AppView. This component gives you the base layout to get started with a standard Aragon apps. (#164)
• RadioButton: styling tweaks. (#175)
• Text / font(): do not set defaults if size, weight or color are not set (allows style inheritance). (#152)
• Add TextInput.Multiline (textarea element). (#168)
• Move the "providers" components to src/providers, and use the new Context API with render props. High order components are still available as they are needed in some contexts (e.g. to wrap a styled component). (#158)
• Add a .prettierrc file. (#161)
• Various other improvements, full list: v0.11.0...v0.12.0
• The copy-aragon-ui-assets command, to facilitate the installation of Aragon UI in a project. (#178)
• A devbox/ directory, which makes it easier to contribute to the project by providing a simple project to develop components in isolation. (#177)
• Fix a positioning issue on the Slider component.

Community Contributions

We always appreciate community contributions, so a big thank you to all the community members who contributed during Q2!

aragon/aragonOS

cleans up a number of visibility warnings by verdverm
https://github.com/aragon/aragonOS/pull/235

updates some pragma versions by verdverm
https://github.com/aragon/aragonOS/pull/236

aragon/aragon-apps

Fix typo in cliff comment diagram. by Kyrrui
https://github.com/aragon/aragon-apps/pull/316

Change vote function comment to 'yea' from 'yay' by Kyrrui
https://github.com/aragon/aragon-apps/pull/328

Updating coveralls in root project, removing hoek dependency by Kyrrui
https://github.com/aragon/aragon-apps/pull/326

Fixing links in payroll readme by Kyrrui
https://github.com/aragon/aragon-apps/pull/331

aragon/aragon

Fix ESLint error (failed Travis CI) by decodedbrain
https://github.com/aragon/aragon/pull/235

Use ProxyAddress instead of AppId for identifying apps by jvluso
https://github.com/aragon/aragon/pull/222

Open bounties

To incentivize more community contributions, we also have some bounties posted that are free for anyone to submit a claim to! We will also be posting more in the next quarter, so make sure to check back!

Node and token location information in radspec
Tokens: ANT: 10.00

Support calling methods on own contract in radspec
Tokens: ANT: 20.00

Create tutorial for using the Survey app with ANT in cold storage in aragon-wiki
Tokens: ANT: 20.00