Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Harmony / Harmony's "ONE World" Event in Lisbon, Portugal / 18 Oct 2021
Harmony / Harmony's "ONE World" Event in Lisbon, Portugal / 18 Oct 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Harmony's "ONE World" Event featuring Robson Silva Jr of Pods Finance

Description

The Harmony team hosted its own "ONE World" event in Lisbon, Portugal on October 18, 2021

This video features Robson Silva Jr walking through the process of hackathons as well as highlighting Pods Finance

Robson on Linkedin: https://www.linkedin.com/in/robsonsjre
Discover Pods Finance: https://www.pods.finance
Discover Harmony: https://www.harmony.one

A

Hello, so yeah. The reason that I'm here today is because, like we have if lisbon coming the next days- and I think uh it's very important to me like to share part of our journey, especially because like pods okay, so one step back pods is a options protocol. I don't know if you have heard we have like. We are building parts of the d5 ecosystem, especially in the derivative space, and we started as a hackathon project.

A

So one year ago, by the way, that's vitalik, he seems not impressive. I think it's hard to impress him and we started with like two hackathon projects and the first one was, if denver february last year, and we also participated in the hacky money last year and like in the beginning, when we started, in my mind, uh like coming from the hackathon to like a production state in my, in my mind, was something like this like, I called something I had an audit and I'm ready to production, but in reality was something like this.

A

You code the test, you find some bugs and you don't have documentation enough to the auditors and then you test again and then you do like a public release in a test environment.

A

So it's much more complicated than I expected so uh for those that are going to like in the next days participate in a hackathon and maybe in some months some pro some projects are just for fun, but other projects, like may become a company like us.

A

uh I wanted to give you some hints and some framework around like how to like how to organize you, especially from the tech part. You have also the organization part like how to get funding, how to incorporate like delaware or cayman, but here today I'm going to focus on the tech part.

A

um So in our first project in our first hackathon, we had like almost only five smart contracts or something like this, but when we started to think okay, so this is going to be a company, a real project in the end, after trim three to four months, our architecture and end up like this. Before, like the mainnet release, or even before, like the first audit, so I think this is the first thing like probably your project is going to be much more complicated than you expected. When you just finished the hackathon.

A

So uh I'm going to to talk about like the first thing that came to our minds when we think that we need to launch is the audit uh but audits. We all know that they are expensive, they are slow. Actually, this is. This presentation is a little bit outdated.

A

For example, we are still waiting one year to get a spot with open zeppelin just to just to have like a an idea, and the important thing is require pre-work. I didn't know that for me. Like I had my code, I can now contact some companies, but actually you should do this pre-work things like the process is expensive. It's low, let's take like the most out of this process.

A

So for those who like games, I like games audits for me they are like the canons like for this kind of games. With this strategy like they are slow, they are very expensive and usually they don't. They are not effective for all the things that you have in your way and usually they are for the late game. You don't start like a game. Usually you start with your soldier if you're like the horses and not with the cannons.

A

But before going to talk about the pre-work that we need on the audits- and why do we need this like? For me? I used to be like a full stack developer in the web. 2 and audit was something that I never heard before these in the industry and usually something for like big companies, so why early companies like small companies, need to have an audit, and the reason for that is because we are changing the paradigm here we are entering the crypto paradigm. This phrase came from one of our first auditors.

A

uh I I respect him so much he he he sent me this. I think in the first day of the audit, and that phrase is sticky, to my mind, he said like rob. Building smart contracts is much more similar to build hardware than building software. So imagine the new iphone uh has like a bug on on the camera and then like you, cannot update. You cannot have like a deployed you you need to like have a recall.

A

You need like two: it's going to be a big damage, so this idea this mentality is similar to the smart contracts.

A

So you cannot put a plug you, you can see in the market that we don't have like continuous deployment you have like uni swap v1 v2 v3 is like in batches is in releases is different from the old web to mentality.

A

So that's the main reason that why we have audits you need to put the effort before and not like after because like even even if you have like upgradable smart contracts, sometimes you don't have time to like upgrade to find a bug and to be great and fix it.

A

So that's the reason why we have audits in this new web 3..

A

So I think this is the hardest thing for me nowadays like how we are still a startup. So how do you keep speed like? How do you I I used to grow with like this mentality in in my past, jobs in the web 2 like build fast and break things the facebook lemma, but here like how do I bring this mentality like? How do I build fast and don't be wrecked, like how I keep the speed and security aligned?

A

So I I going to show you some like elements that you can use in your project.

A

So the first.

A

I'm going to talk about the pre-work, so the first thing that I wanted to talk is about security layers, as I already told you like for me audits. They are kind of the channels, but you have other layers think about like your system as like a war, and you have like layers of security that you can use before going to the war.

A

So the first one here is is a list of the things that I and again for me, this presentation is a little bit outdated because for me, static analysis is not optional. I think you should have before the first audit, but this is a list of the things that I think your project should have before you go to the your first audit.

A

So basically you have the unit tests like is like the the the most simple soldier here like is. You should always have unit tests in in your brain, like in the way that you could always do like, uh like always keep track of this.

A

So we have some tools for this. I use waffle for mocking contracts, and you have like specific assertions for this. I use feature fixtures because easily your code is going to have like a really big deployment time, just to have an idea on pods. We have nowadays every time that we change something. The smart contracts takes like 40 minutes to test all the environment. So if you don't use feature, fixtures is going to you you're going to have a problem with scalability.

A

uh Then you have like the second layer. The integrations test. What is the difference between units tests and integrations integrations is when we start like combining, for example, I use chain link as a price oracle. I use avi as a collateral. I use sushi as our oracle or as a exchange. So I start combining those parts in the integration test.

A

uh One tip that I give for you is probably if you are coding with different projects you already faced. The problem of like ave is only on coven and hinkeby, and sushi is only on another test net. So, like use the the tools that we have in the market use like mainnet fork, I recommend the tenderly forex very, very easy to use. We have alchemy with archive nodes for free in the free plan, so I recommend for integration tests using main network, uh and then we have like some tools to like increase.

A

The power of your army coverage is a tool that you can use to to get better in your tests. So it's very it's very easy to set up. You can combine like, for example, hard hat coveralls covers, is a is a tool for tracking your tests and github actions to have like this process in your system.

A

um If you don't know it like, it is for free for public repositories, and they show you like what parts of your systems you. You are missing tests, so, if you have like, if else is what we we call like branches, they are going to show.

A

Every line of your system that are missing tests is a very good tool to have, and you co, you can combine very easily with each actions to have like the whole process working and uh you can like always keep tracking of your tests to take care like they say that is easy to have like a good coverage, but it's hard to maintain a good coverage. So github actions is a good way to keep the good coverage.

A

What else documentation yeah documentation for me is more like the supporter. It's not like the soldier is more the priest like because you have to convince the other developers, it's not about like a developer experience.

A

And especially for the auditors, they they are not much magicians like they are not going to understand your code.

A

If you don't write good documentations and when I say good documentations, I'm not talking only about like code level documentation, I'm talking about explain your system, how your amm works like how your pricing system works, why you are different from the others like give content context to the auditors like it's kind of onion, like you start big picture, and then you start deep, diving on the parts of your system and not only for auditors, but also for the dx, the developer experience.

A

If you are a protocol, you need to care about the developer experience because, like you, you're not building a protocol only for the b2c part of only for the end consumer you're, always working for like the community for the developers, so yeah documentation is a supporter.

A

uh It's important, and I know that developers don't like to to write documentations uh fuzzy testing, posit testing. For me they are like the walls, the towers. Why? Because like they are uh closing all the gaps around your yard system, so for those little mistakes? That is hard to find.

A

Fuzzy testing is a good tool to uh to find like those last gaps on your system. So after, like public testing, after like the integration tests, uh where you probably found like 80 percent of your bugs for those last 20 of the bugs fuzzy testing is a good feature on pods. Currently, we are using a kidnap, that's a a tool made from three of bits. If I'm not not mistaken, they just released the diversion. True that supports solidity. Zero, eight and.

A

There are two ways of doing fuzzy testing the asserts and the invariance. The variance is the most important one. What is invariance is let's say you have like these general truths in our system. That always should be respected. For example, in our case we have options and our options are over collateralized.

A

So I I can write an invariant like um the sum of all options times. The strike price should have always a balance for those options that I minted. So I write, though this invariant and I started testing all the possibilities in the system, so it is effective for, like stress scenarios,.

A

And, in addition, in addition to that, talking to auditors is, uh is also a business relationship. So this is like a parenthesis during the negotiation understand well like we have now like more than I don't know, 20 different companies, doing audits so understand. Well, like the phases of the audit, the deadline. How many times you can like keep go far and back like the audit process. How long is going to take one month? Two months uh are: they are like inside the scope.

A

Fuzzy testing is covered, like formal verification is covered like make sure that you understand what are you paying for.

A

And also after you did all this pre-work after you did the audit remember that what is risk risk is a function of two elements, the probability of happening of an event and the size of the impact. If something goes wrong, usually all those layers that I added previously like fuzzy testing integration tests. We are tackling this first part of the the equation. We are trying to reduce the probability of the event, but also we can what we can also do. In addition to, that is reducing the size of the impact.

A

That's why we decided on our lounge to have like acquired launch before the mainnet release, like we started that on march on polygon, we did like a guarded launch with a very low cap with admin keys.

A

That way we try. We are trying to tackle, like the second part of the equation, reducing the impact. In case everything goes wrong, so I recommend I think this is becoming a a pattern on our industry, like those guarded launches with like caps and emergency stops, at least in the beginning. I think this is very important to tackle the impact.

A

And I think I think that's it yeah, so this presentation actually came came out from a blog post that I wrote like some months ago. So you can. You can check there if you have like if you wanted to understand more deeply what I'm talking about and if I'm happy to help you. If you have questions, if you are going to participate in lisbon some days, I can try to guide you with some tips.

A

So that's it. Thank you.

A

You.