Thank you @mrmtech for sharing the video demo. Given that your users are all Spanish speakers right now, it’s okay for the app to only support Spanish only for the first few milestones. That said, would you be able to add an English language option as part of your final milestone?
Hello @DAOstar_gov and team!
We collected all the feedback for our milestone 2 request. Here our analysis and next steps.
First, we apologize for the administrative mistake in requesting 12.500 instead of 11.500. We took the value from the original plan, and not updated it with our latest agreement. This has been properly noted, and our request will be made correctly.
Second, our communication plan will take please on this thread. We communicated our status using other channels, which lead to confusion. We will change that.
Third, the communication will be more active. For the next milestone, we think weekly updates will be correct.
Next steps
Security audit of the DidManifestRegistry contract
Congratulations @mrmtech on the thorough M1 report! The level of documentation, verifiable on-chain evidence, and working testable APK demonstrate a professionalism and laser focus on delivery.
Thanks @Tane for auditing the contract and repository.
I’d have a few pointers to clarify:
On the audit budget:
$10k seems high for auditing the “DidManifestRegistry” contract, which is a relatively focused, single purpose registry with owner only writes and standard key derivation. Save any mistakes, similar single contract audits are ranging from $3-8k these days. Which auditor are you engaging with, and how was this estimate done?
On access control architecture:
The current design relies on owner only write permissions. While I understand this may be an early stage design, this seems somewhat at odds with the self-sovereign philosophy where users control their own identity. Is there a roadmap for decentralizing write access, perhaps through issuer permissioning, multisig controls, or other mechanisms?
On infrastructure dependencies:
The backendless discovery flow is a solid step toward decentralization. However, issuance still relies on Pinata for IPFS and AWS for the issuer portal. Are there plans to reduce these centralized dependencies over time, again on the self-sovereign and decentralized philosophy.
Hi @ChronoTrigger !
We very much appreciate your feedback, we are putting a lot of effort into improving the solution, its very well received!
On the audit budget:
The budget is meant not only for the audit, but for fixes, and optimizations based on recommendations. We are playing it safe, maybe too much, we are willing to reduce this milestone to 8k, if that is agreeable.
On access control architecture:
YES we have plans to improve further (this is alpha launch). SSI is a huge topic, and hard to tackle, we are taking it step by step.
Having said this, the first goal is for the users to be able to retain their credentials if the issuer is no longer available. On many cases however, the issuer of the credentials needs authority to revoke them (think of driver licenses, or access passes to campuses). So we are going to expand to more uses cases in the future.
On infrastructure dependencies:
Yes, IPFS is the preferred solution because storing content onchain is the first step. We may need to change vendor in the future, but we are keeping the technology.
Thank you so much for your responses and clarifications regarding communications, we truly appreicate your intent for consistant updates.
We do have a question about the M2 proposal on Tally currently, since the you stated that the revised M2 budget is $8K for the audit budget (which we agree with @ChronoTrigger comments above) however, we thought that M2 budget was audit budget + $2,500 for development hours for fixes/testing.
Can you please clarify the breakdown of the M2 budget with audit + dev hours, before we submit our vote? As the original proposal for M2 included both. Thks!
Hello @DAOstar_gov and team!
Happy to clarify and further breakdown the milestone.
To reduce the cost of the external audit, we redesigned the sprint, and moved some items we would request on a full/complex audit out, and will run those separately. We agree with @ChronoTrigger that our contract is simple enough that we can do that safely.
Given that we are running some of those items ourselves, it made sense to include other hardening tasks in the same sprint.
What the external audit still covers is the security review of our smart contract plus the tests, this is a very good practice we want to keep.
The milestone now includes:
Remediation and optimization of code based on audit findings
Plus the items we moved out from the audit, that we will execute:
Gas profiling
Tools: hardhat-gas-reporter (Hardhat), optionally Foundry forge test --gas-report
Thank you so much, @mrmtech for this level of details and response to our clarification. We also agree that the external audit plus tests is a very good practice and demonstrates to us that your intentions are true. We support that your M2 deliverables as completed as identified, and we will be voting in favor. Thank you for the fantastic communications!
I have voted in favor of the current Milestone 2 proposal.
Milestone 1 delivery was properly evidenced, and based on the latest clarification, the revised M2 scope (external audit of the contract + tests, remediation, and additional internal hardening tasks) appears reasonable at the ~8k level.
That said, given the number of budget iterations we’ve seen (original proposal → revised $30k structure → incorrect on-chain amount → now reduced M2), I believe it would be very helpful for governance clarity if the team could publish a single consolidated table showing:
Each milestone (M1–M4)
The current agreed scope per milestone
The current agreed budget per milestone
The resulting total grant amount
Having one updated budget breakdown in this thread would prevent future inconsistencies and make voting more straightforward for delegates.
Appreciate the responsiveness so far, and looking forward to the audit results in M2.
Hello, @mrmtech , we have to echo @Kaf_Anode request for posting an updated and complete budget and scope into one view. For use, this would be helpful to understand clearly the full breakdown. Keep up the great work on communications!
Hello community,
sure, here is the updated milestones for our project.
We incorporated some requests for milestone 3.
Let us know if more details are needed.
Regards!
Milestone 1 - Complete - (usd 10.000)
Deliverables
Testnet launch with Rootstock integration.
Smart contract design + deployment for CID storage.
Budget: New architecture and Web3 development
KPIs:
Smart contract deployed to Rootstock testnet.
CID written/read cycle functional.
Budget: Architecture, infrastructure, and web2 development ($6.000), Smart contract development ($4.000)
Milestone 2 - (1 month – usd $8,000)
Security Audit of Rootstock smart contracts and tests
Apply fixes and recommendation from the audit
Gas profiling
Tools: hardhat-gas-reporter (Hardhat), optionally Foundry forge test --gas-report
Symbolic execution (time-boxed)
Tools: Mythril, Manticore
Fuzz testing / property testing
Tools: Foundry (fuzz/invariants), or Echidna
Monitoring + alerting
Milestone 3 - (2 months – $4,000)
Mainnet launch of the Rootstock-enabled.
Backend API adapted to interact with Rootstock mainnet.
Issuer hardening (add authentication)
Issuer working against Rootstock mainnet.
Validator apps working against rootstock (on open source repo)
Add english language (validator request)
Ensure IPFS option besides pinata to support other storage options for content (validators request)
Infrastructure set-up for production readiness (Amazon + web2 services)
Demo credential issuance + validation flow working end-to-end
Milestone 4 (3 months – $4,500)
This is the user adoption phase
Focused on accessibility, documentation, and SSO integration.
Publish comprehensive guides for developers and institutions.
Improve onboarding flows for community use cases.
Communication on various channels
Documentation and SSO integration live
At least 2 external developers/institutions onboarded as pilot adopters
Thank you so much, @mrmtech , this detailed (and updated) budget, milestone and KPI’s, the list looks good, thank you. We’re looking forward to reviewing the M3 deliverables!
Hey @mrmtech we have voted FOR the proposal, it is great to see the successful delivery of Milestone 1. We also really appreciate the team taking the feedback from other delegates on board and providing a clear, detailed breakdown of all the milestones moving forward. What stood out to us about this grant is how it actively minimizes execution risk.
Excited to see how further milestones take shape.
We completed gas profiling, here draft results ( for the milestone we’ll include the complete report)
Deployment: 755,359 gas
So deploying the contract is cheap relative to the block limit.
setManifestCid is in the ~33k–50k gas range per call depending on storage (cold vs warm). Average ~48k.
Batching helps: Two mappings in one tx (setManifestCidsBatch ~78k) cost less than two separate setManifestCid calls (2 × ~48k ≈ 96k), so you save on per-tx overhead.
Deletes are relatively cheap (~26k per delete) due to storage refunds.
We are analyzing symbolic execution results.
We have a warning “Arithmetic operator can underflow”, which seems a false positive, but we are analyzing it.
Next week we expect to finish symbolic execution, and fuzz testing / property testing.
