# 审计送审包 ## 用途 给 audit firm(Spearbit / Cantina / Zellic / Trail of Bits / OpenZeppelin / ChainSecurity 等)发 RFP 时**附在邮件里的材料包**。完整覆盖: * Scope 边界 + 27 合约清单 + 预算 envelope * Self-review 已修 finding (CEI bug + 7 immutable + 30+ FP 注解) * Coverage gap 量化定位(送审基线) * Dependency CVE 状态(净结果:0 critical/high) * Trust 假设清单(哪些 in / out scope) * STRIDE threat model(attack surface map) * Mainnet readiness 真实评估(项目自审,不是销售口径) 减少 audit firm 重复 discovery 工作 → 报价更准确 + 周期缩短 1-2 周。 *** ## 9 文档列表 | # | 文件 | 体积 | 用途 | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------------------------- | | 1 | [SECURITY-AUDIT-RFP-2026-04-30.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/guides/SECURITY-AUDIT-RFP-2026-04-30.md) | 24 KB | scope + 27 合约 + 预算 $80-100K + Spearbit/Cantina/Zellic shortlist | | 2 | [audit-outreach-email-template-2026-04-30.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/guides/audit-outreach-email-template-2026-04-30.md) | 4 KB | 冷邮件 + 跟进 + selection checklist | | 3 | [pre-audit-self-review-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/pre-audit-self-review-2026-05-07.md) | 10 KB | slither finding 处理 + FP 注解 | | 4 | [coverage-gap-analysis-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/coverage-gap-analysis-2026-05-07.md) | 8.5 KB | 18 个 branch arm 缺口定位到行 | | 5 | [coverage-2026-05-07.lcov](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/coverage-2026-05-07.lcov) | 85 KB | 完整 lcov 原始报告 | | 6 | [dependency-audit-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/dependency-audit-2026-05-07.md) | 7 KB | Rust 4 vuln + npm 7 vuln 处理状态 | | 7 | [trust-assumptions-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/trust-assumptions-2026-05-07.md) | 14 KB | 信任清单 (链 / 角色 / 链下 / 密码学 / 业务 5 大类) | | 8 | [threat-model-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/threat-model-2026-05-07.md) | 14.5 KB | STRIDE × 6 子系统 + 工时分配建议 | | 9 | [mainnet-readiness-assessment-2026-05-07.md](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/guides/mainnet-readiness-assessment-2026-05-07.md) | 19 KB | 18-mo 主网执行路线图 + 8-维 32.5% 评分 | **总计 \~186 KB markdown + 1 lcov,可一键打包发邮件。** ## 推荐发送方式 ```bash cd /Users/judybaby/CodeBase/github/Layer2 mkdir -p /tmp/audit-package-2026-05-07 cp docs/audit/* /tmp/audit-package-2026-05-07/ cp docs/guides/SECURITY-AUDIT-RFP-2026-04-30.md /tmp/audit-package-2026-05-07/ cp docs/guides/audit-outreach-email-template-2026-04-30.md /tmp/audit-package-2026-05-07/ cp docs/guides/mainnet-readiness-assessment-2026-05-07.md /tmp/audit-package-2026-05-07/ cd /tmp && zip -r axblade-audit-package-2026-05-07.zip audit-package-2026-05-07/ # 邮件附件 ~150 KB ``` 或直接发 GitHub repo 链接 + commit hash `7c438db`,让 audit firm clone 完整 codebase + 文档同时审。 ## Audit firm 报价 + 周期参考 基于 STRIDE × 子系统 cell 分析(详见 [Threat Model §9](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/audit/threat-model-2026-05-07.md)): | 子系统 | 主要威胁数 | 推荐工时 | | ----------------------- | ------ | ------------ | | PoB / Stake / Challenge | 12 | 60-80h | | PoD / Verifier 三套 | 11 | 50-70h | | L2 Policy | 6 | 20-30h | | CSDRT / DID | 9 | 40-60h | | Oracle / Bridge | 14 | 80-120h | | Cross-system | 5 | 30-40h | | **总计** | **57** | **280-400h** | 按 **$200-400/h senior auditor** 行业价 → **$56K-160K** range,与 RFP 预算 $80-100K 中位数一致。 **周期估算**: * 单家 firm 第一轮:4-6 周 audit + 30-90 天 fix cycle * 双家 parallel:\~6-8 周 audit * Code4rena 公开赛替代第二家:1-2 周公开 + 30 天 fix ## Audit firm Shortlist 对比 | Firm | 主营领域 | 报价区间 | 周期 | 主网 ZK rollup 经验 | | ----------------- | ---------------------- | --------- | ------ | --------------- | | **Spearbit** | DeFi + ZK | $80-150K | 5-8 周 | Multiple | | **Cantina** | DeFi + L2 | $60-120K | 4-6 周 | Yes | | **Zellic** | ZK + complex protocols | $80-180K | 6-10 周 | zkSync, Aleo | | **Trail of Bits** | Critical infra | $150-300K | 8-12 周 | — | | **OpenZeppelin** | Sol-heavy | $100-200K | 6-10 周 | — | | **ChainSecurity** | Formal verification | $80-180K | 6-10 周 | 注意:ZK 相对少 | 推荐打法:**同时给 3 家发 RFP**(Spearbit + Cantina + Zellic),2 周内拿报价 → 选 2 家做主审 + Code4rena 公开赛做第三方。 ## 后续 audit prep 待办 | 项 | 状态 | | ------------------------------------ | ---------------------- | | 加 11 个 forge test 关 18 branch arm | 待做(可与外审并行) | | Echidna fuzz 16 invariant × 10K runs | 待装工具 | | Halmos symbolic critical path | 待装工具 | | Manual review external/public 入口 | 部分覆盖 (in threat model) | | Bug bounty 上线 (Immunefi) | 第一轮审计完之后 | ## 给项目方的 next 4 step 1. **本周**:发 RFP 给 3 家 firm(材料已 ready,仅需 founder 决策签字) 2. **报价等待 1-2 周**:我跑剩下的 audit prep(11 test + echidna 等) 3. **报价回 → 选 firm**:选 1-2 家签合同 4. **审计开始 (T+4-6 周)**:firm 入场,团队待命 fix cycle 详见 [Mainnet Readiness Assessment §3](https://github.com/leeleeEcho/babyDriver_Layer2/blob/main/docs/guides/mainnet-readiness-assessment-2026-05-07.md#3-执行路线图)。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yellowpaper.axblade.io/consolidated-resources/audit-prep-package.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.