1/9 Impossible Finance has defied the realms of reality this past month, raising its score to an outstanding 94%. With brand new documentation to showcase information of vital importance, the team has shown a commitment to expert-level process quality 🧵⬇️
2/9 Firstly, the launchpad provider had a decent running start in our core transparency metrics. Addresses are public and easily found, devs are doxxed, technical documentation was present, and the well-maintained GitHub contained fully open-source software.
3/9 However, one thing that was clearly missing was admin control information. Upon establishing contact with the developers, they worked very hard to produce this important document. It can now be found here: impossiblefinance.notion.site/Contract-Addre….
4/9 Secondly, this aforementioned document contains all the high-level information needed to evaluate Impossible Finance's admin controls. Core contracts are immutable, ownership is through a MultiSig, and change capabilities are restricted to trading fees and whitelisting.
5/9 Moreover, there is also a breakdown of how Impossible mitigates the risk of front running and flash loan manipulations. With asymmetric boosts and staking allocations proportionate to stake amount held over time, Impossible's mechanisms capitalize on risk mitigation.
6/9 Lastly, the protocol shows a dedication to security via multiple pre-deployment audits for each protocol deployment and a sizeable bug bounty that will reward whitehats with up to 10% of total capital "saved" through attack vector disclosures.
7/9 In the future, we would love to see Impossible further develop its testing suite with the addition of code coverage and unit tests, detailed testing reports, and a formal verification. We will be monitoring these additions closely and update the report as they are added.
8/9 All of that to say, Impossible Finance's process quality standards are extremely high. The protocol architecture and security measures were certainly well thought out, and we are looking forward to newer protocols utilizing its innovative launchpad in the future.
1/7 Over the past two months, Synthetix has worked hard to achieve a 97% score, and is tied for the current top score with @LiquityProtocol ! As such, it is time to syntherely congratulate the protocol and underline what went into this groundbreaking effort.
2/7 First, Synthetix has always had a rock-solid base. Its technical documentation is anything but artificial and does a great job at covering its entire smart contract architecture. Moreover, the traceability of the source code implementations is excellent.
3/7 Speaking of source code, Synthetix has one of the most well-developed GitHub repositories that we have seen. Testing depth is commendable, and all unit testing is fully available. A formal verification puts a cherry on top of these vast software development standards.
1/ @friktion_labs irritates the open-source spirit of DeFi with a closed source repository. Despite a proudly public team with some good oracle documentation, Friktion does not glide anywhere near to a process quality pass.
2/ Thanks to a whitepaper and some software architecture, they score a reasonable 43% on our documentation section. In addition, their clear links to Pyth explain their oracle well. We'll nonetheless advise our users to go get some aloe vera if they want to use this protocol.
3/ Thanks to a laughable bug bounty of $690 awarded to essayists looking to promote Friktion (and NOTHING FOR SMART CONTRACTS), no audits, a private repository, no testing documentation, no details on contract ownership we see that Friktion is haphazardly put together.
Today, instead of our usual review, we have decided to give you our analysis of the $15b Convex Finance vulnerability from a process quality point of view.
This analysis is primarily provided as a Medium article, written by @nvy_0x, which will be linked on the last tweet.
TLDR;
1/10 Almost five months ago, @ConvexFinance was harboring one of DeFi’s largest known vulnerabilities. Through a convoluted process, @OpenZeppelin was able to help patch up the potential exploit. Although both teams performed admirably, there are a few things to note.
2/10 Anonymity isn't bad, but it can lead to centralized points of failure, especially in a 2 of 3 Multisig where two of the signers can be anonymous. When it comes to projects that handle billions of user funds, it is more prudent to have a larger and diverse multisig.
1/5 Ribbon has done a great job at ensuring that it's a more beautifully wrapped present. In both updating their own documentation as well as making a few things clearer for our own analyses, we're elated to tie a bow on this one and give them a well-deserved passing score.
2/5 Ribbon's passing grade comes from focusing on clear oracle information. This is especially vital as this is a derivatives exchange, making the data the contracts are dependent upon incredibly important. Since they're based on Opyn, they inherit the tried and true Chainlink.
3/5 We're looking forward to reading more documentation relating to their pause control and their contract timelock features. This will double-knot the bow that ribbon is tying up for us.
1/4 Allbridge is falling down with 28%, and it's not pretty. At $400m TVL, the protocol and its team reflect subpar development practices with a low-quality token audit, absence of details regarding their Access Controls, and a minimal amount of perceivable GitHub development.
2/4 We would also like to point out that @Allbridge_io audited contracts are in a private GitHub, therefore making the contents of the audit untraceable and unverifiable. This paired with no Bug Bounty, it is hard to gauge the protocol's commitment to security.
3/4 Although the team is fully doxxed and has provided their community with in-depth documentation on how to operate the protocol, we're urging the team to be more transparent about the backend of its software and the kind of control they have over it. #DeFi
1/4 With a 90%, Astroport enters our review catalog as the #1 scoring protocol on Terra and one of the highest-rated DEXs we have reviewed. The protocol excels in all areas of software documentation and is especially focused on providing its users with all the necessary details.
2/4 Most notably, the team has partnered with Immunefi to offer one of the largest Bug Bounties hosted on the white hat platform. Along with a pair of audits, @astroport__fi clearly takes the security of its protocol very seriously. #DeFi#Terra
3/4 We have also had the pleasure to collaborate with their quite responsive team. Together, we hope to fill the remaining gaps of our review with improved testing and a more user-friendly version of their Access Controls. We have no doubts about the team's ability to do so.