Share this page!

DeFiSafety Profile picture
Twitter logo
Jun 7 29 tweets 16 min read
1/28 Due to repeated downtime, @solana has the second worst final technical risk score of the 15 chains that we have reviewed so far. Only @Ronin_Network has a lower score at this point. This is for a variety of reasons. 🫤
2/28 Firstly, Solana's base score is low. Despite a public software repository and some good documentation, their infrastructure relating to nodes is subpar.
3/28 There is only one node implementation (we will address this later), the updates are handled in a haphazard manner and there is no process for an archive node.
4/28 It is still unclear where the chain stores its history - there have been no documented updates on the Solar bridge after archives were abandoned.
docs.solana.com/proposals/ledg…
5/28 Aside from the founder’s reddit comment from 1 year ago that states the chain "is archived to arweave" and that validators store 2 days of history, there have been no documented updates. @ArweaveTeam
reddit.com/r/solana/comme…
6/28 While Solana Beach / SolScan @solscanofficial have made significant strides in UX, their utility as a block explorer still does not match @etherscan's.
7/28 Frequent 404 errors and failed searches plagued our researchers when trying to view components of older transactions. This raises questions about the nature of #Solana as a #blockchain if it is not easily verifiable.
solscan.io/tx/5MiGs3KSuTq…
8/28 In addition, while Solana as a chain has been audited (years ago) the node software has not been audited. @KudelskiSec 2019 Audit focuses on architecture and not node software. The 3 years of subsequent iterations are thus unaudited. solana.com/solana-securit…
9/28 This is alarming given the lack of formal process relating to upgrading any part of Solana - the production version of the chain is at the whim of whichever core contributor sees the push request.
10/28 This presents risk to user funds as this is a single point of failure. @solanalabs should pursue formal verification on this chain to ensure it functions as intended, like other leading L1s do.
11/28 Credit where it's due, Solana has made significant strides in validation decentralization. Thanks to an impressive program that incentivises many validators on other continents, Solana scores well on this point. Nonetheless, it is unclear what role these validators play.
12/28 Upon downtime, a selection of 25 validators restarted the chain (coordinated via google docs). What is a blockchain? We would like to thank @Solana for sharing that google doc explaining their chain restart process. This is nice transparency. Is it the future of finance?
Link 12/28➡️docs.google.com/document/u/1/d…
13/28 This is the 8th time that this has occurred (or 9th, it is unclear). How a chain of such significance can be controlled by 25 groups is incomprehensible and unsafe. The potential for chain manipulation is high.
solanabeach.io/validators
14/28 Given that two of these chain failures occurred in less than 6 months, an already unimpressive score is docked twice by half. This leaves their score at 25% of its original value.
15/28 There was some discussion amongst validators about censoring specific transactions that caused the downtime, which would have incurred a further penalty, but fortunately this was not necessary.
16/28 We strongly advise @Solana to increase the number of node implementations they offer to validators. Validators identified this in the last week's downtime as a potential contributing factor. One is not enough. Other leading L1s have 5 or more.
17/28 They have an impressive bug bounty though, as @austin_federa correctly identifies. Maybe @solana would consider offering full time contracts for security researchers instead of the bounty system they currently operate.
18/28 This would surely lead to better outcomes (and may even prove cheaper than the full payout amount).
19/28 All in all, Solana presents systemic technical risk. There is no doubt about it. User funds, in our eyes, are at risk. We penalize them heavily for downtime because users cannot access their funds when the chain goes down.
20/28 Solana justifies this as still being in "beta". The fact that @Solana has to state to users that “funds are safe” is probably an indicator that they aren’t. This isn’t a question people should have to consider.
21/28 This is frankly inexcusable given the TVL of this chain and how prevalent it is in #DeFi. Any serious DeFi risk analysis will identify that the risk adjusted return for any activity on this chain makes the opportunities irrelevant.
22/28 This is not to say that things won't change: we know some of the biggest brains in this industry work on Solana. They just need to show the development process the respect it deserves.
23/28 Their users deserve better. DeFi deserves better. We are hopeful that this will be the case soon, but Solana has been around for so long now and downtimes are as frequent as ever. Audits are irrelevant and out of date. Node implementations are anemic.
24/28 Development is arbitrary. The core contributors are unresponsive to requests for comments. We cannot see a documented process for verifying chain archives. Move fast, by all means, but show your users (and their funds) the due process blockchain security requires.
25/28 At the moment, Solana does not. Anyone who uses this chain subjects themselves to massive and at this point seemingly inherent technical risk and trust. We cannot advise any serious investor to use this chain.
26/28 This is a (long) snippet of a full safety report on Solana. For the full report, 14 other chains, scores on some 30,000 contracts as well as the protocol scores you know and love, please visit DeFiSafety.com/app and buy a subscription.
27/28 @solana @Austin_Federa @solanastatus @Alevtina_Y @rajgokal @therealchaseeb @gajeshnaik @SolanaNews @KyleSamani @jordaaash @Sebastian_Bor @drebaglioni @solanalabs @UAEliFan @matthewabeck1 @knimkar
28/28 @simplyianm @SolanaCompass @muhnkee @SolanaTurkiye @solanavietnam @JustinBarlow @solana_india @solanians_ @adamdelsol @_RossCohen @clockwrrk @solana_daily @Coin98Analytics @mattytay @JedAHalfon @bennybitcoins @thedhkt

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with DeFiSafety

DeFiSafety Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DefiSafety

DeFiSafety Profile picture
Jun 6
1/5 Concocting the magic potions of #DeFi, Alchemix does not fail to provide the right recipes for its code documentation. With impeccable security, admin controls and documentation, the protocol is a great broom to ride through your DeFi wizardry.
Final score: a whopping 80%.
2/5 To support this high score, thorough audits and a high bug bounty reward proved to be the winning formula for this magic potion. Add into the (Alche)mix their straightforward smart contract change capabilities and ownership roles and you get yourself a valuable elixir.
3/5 The only points Alchemix lost for Gryffindor would have to be their testing suite. With no testnet or testing documentation, some may be warry of Alchemix' elixir. However, because of their beyond reasonable TtC ratio, DeFiSafety will make sure to stock up on them' potions.
Read 5 tweets
DeFiSafety Profile picture
May 26
1/9 Impossible Finance has defied the realms of reality this past month, raising its score to an outstanding 94%. With brand new documentation to showcase information of vital importance, the team has shown a commitment to expert-level process quality 🧵⬇️
2/9 Firstly, the launchpad provider had a decent running start in our core transparency metrics. Addresses are public and easily found, devs are doxxed, technical documentation was present, and the well-maintained GitHub contained fully open-source software.
3/9 However, one thing that was clearly missing was admin control information. Upon establishing contact with the developers, they worked very hard to produce this important document. It can now be found here: impossiblefinance.notion.site/Contract-Addre….
Read 9 tweets
DeFiSafety Profile picture
May 25
1/7 Over the past two months, Synthetix has worked hard to achieve a 97% score, and is tied for the current top score with @LiquityProtocol ! As such, it is time to syntherely congratulate the protocol and underline what went into this groundbreaking effort.
2/7 First, Synthetix has always had a rock-solid base. Its technical documentation is anything but artificial and does a great job at covering its entire smart contract architecture. Moreover, the traceability of the source code implementations is excellent.
3/7 Speaking of source code, Synthetix has one of the most well-developed GitHub repositories that we have seen. Testing depth is commendable, and all unit testing is fully available. A formal verification puts a cherry on top of these vast software development standards.
Read 7 tweets
DeFiSafety Profile picture
May 25
1/ @friktion_labs irritates the open-source spirit of DeFi with a closed source repository. Despite a proudly public team with some good oracle documentation, Friktion does not glide anywhere near to a process quality pass.
2/ Thanks to a whitepaper and some software architecture, they score a reasonable 43% on our documentation section. In addition, their clear links to Pyth explain their oracle well. We'll nonetheless advise our users to go get some aloe vera if they want to use this protocol.
3/ Thanks to a laughable bug bounty of $690 awarded to essayists looking to promote Friktion (and NOTHING FOR SMART CONTRACTS), no audits, a private repository, no testing documentation, no details on contract ownership we see that Friktion is haphazardly put together.
Read 5 tweets
DeFiSafety Profile picture
Apr 13
Today, instead of our usual review, we have decided to give you our analysis of the $15b Convex Finance vulnerability from a process quality point of view.

This analysis is primarily provided as a Medium article, written by @nvy_0x, which will be linked on the last tweet.

TLDR;
1/10 Almost five months ago, @ConvexFinance was harboring one of DeFi’s largest known vulnerabilities. Through a convoluted process, @OpenZeppelin was able to help patch up the potential exploit. Although both teams performed admirably, there are a few things to note.
2/10 Anonymity isn't bad, but it can lead to centralized points of failure, especially in a 2 of 3 Multisig where two of the signers can be anonymous. When it comes to projects that handle billions of user funds, it is more prudent to have a larger and diverse multisig.
Read 11 tweets
DeFiSafety Profile picture
Apr 11
1/5 Ribbon has done a great job at ensuring that it's a more beautifully wrapped present. In both updating their own documentation as well as making a few things clearer for our own analyses, we're elated to tie a bow on this one and give them a well-deserved passing score.
2/5 Ribbon's passing grade comes from focusing on clear oracle information. This is especially vital as this is a derivatives exchange, making the data the contracts are dependent upon incredibly important. Since they're based on Opyn, they inherit the tried and true Chainlink.
3/5 We're looking forward to reading more documentation relating to their pause control and their contract timelock features. This will double-knot the bow that ribbon is tying up for us.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(