The anonymous DefiSafety team looked into popular decentralized finance (DeFi) projects and their codes, scoring each platform, and finding that six have overall scores above 80%, with Synthetix Exchange leading the list. SushiSwap, on the other hand, got a score of less than 20%.
As said, the team behind the report is anonymous, but yearn.finance (YFI) developer Andre Cronje described their work as “a great public source” while their website shows recommendations from other security experts, such as John Mardlin, Security Engineer at Consensys Dilligence, also.
On their website, DefiSafety provides an explanation of what a DeFi audit is, what the process entails, what questions/categories are looked into when doing an audit, and why an audit is needed. “DeFi asks us to trust smart contracts, rather than companies, governments or individuals. They ask you to trust the code,” said the team behind the report, adding that they checked the code, how it was developed, and tested, providing the results.
Per their report, out of the seventeen currently listed, there are six top-scoring projects, if we look at those with a score of 80% and above. “The % score is how close to perfect they follow process and quality best practices,” the report said.
As for the other platforms, dYdX stands at 77%, and it’s followed by Balancer Finance with 74%. Balancer’s lowest score was in executing code verification, getting 57%. Balancer followed Compound into the spotlight quickly, recording major price increases along the way. In late June, Balancer got hacked, reportedly with USD 500,000 worth of crypto stolen. The attack entailed taking a flash loan in ethereum (ETH) from dYdX.
Curve Finance got a score of 68%. Curve’s ‘verification’ category got marked with the color red, having gotten a score of just 13%. Its ‘testing’ is above 50%, and other two categories above 90% each. The project itself was launched prematurely by an anonymous developer, then adopted by the team behind it. In the second half of August, news broke that the project founder took some 71% of the voting power.
Next up is also a much-discussed project and the latest newcomer to DeFi Safety’s list with a score of 66% – yearn.finance. The lowest score it got is 45% in documentation. The platform and its YFI token have been hard at work it seems, given that yearn.finance now has a whopping USD 884 million, though it suffered a 3.6% loss in the last 24 hours, placing it fifth on the list, before Synthetix and after Curve. Recently, the platform launched its yETH vault.
— DeFi Safety (@DefiSafety) September 2, 2020
Instadapp got 55%, Spaghetti Pasta 43%, NUO Network 28%, and YAM Finance 25%. As for YAM, the report said that this is the first version, the one “with [a] bug.” As previously reported, YAM was soaring high for several days, despite its creators warning about the dangers that come with unaudited projects. However, the team discovered that a code bug would “interact with the governance module” and prevent a proposal that could’ve saved the project from failing. But its second version was announced right away.
The latest newcomer to the DeFi space, SushiSwap, got a low overall grade of 19%. When it comes to individual components making that grade, its testing has 50%, documentation is 20%, executing code validation 14%, and audit 0%.
— DeFi Safety (@DefiSafety) September 1, 2020
As reported, SushiSwap warned its supporters that it’s unaudited, and it’s in search for auditors. One blockchain security firm replied to the call, Quantstamp, discovering ten issues the platform is facing. These include failure to prevent the same liquidity provider token from being added more than once, and a vulnerability that could potentially allow the theft of funds, among others, though none were found to be critical.
Also, SushiSwap creator ‘Chef Nomi’ previously said that 10% of every minted Sushi will be set aside for future development, adding: “No VC, only community fund.” However, the report stated that it’s actually “1/11 = 9% of the total sushi distribution,” instead of 10%.
Moreover, partner at Cinneamhain Ventures, Adam Cochran, looked into the project, saying that, while he initially presumed that the developer fund was going to a wallet locked by either a governance vote or a time lock, it was actually a wallet to which Chef Nomi has the keys for.
It seems however it is just a generic wallet that the SushiSwap admin has keys for.
That means without warning you could be dumped on.
Now, I’ve been impressed with the results of SushiSwap and the teams professionalism so far, but, let’s take a step back
— Adam Cochran (@AdamScochran) September 1, 2020
Lastly, per the DeFi Safety report, bZx Trading‘s first, hacked version got 17%, and Based has 10%.
— DeFi Safety (@DefiSafety) August 29, 2020
Meanwhile, there are reports that another project named after a tasty food item, KIMCHI – seemingly supported by Arthur Hayes – was experiencing issues. A commenter looking into the project’s code was saying that, while “the [SUSHI] owner has 10% of the sushi supply,” with KIMCHI allegedly “the dev is able to create unlimited supply and suck dry the entire supply, and probably will.”
Jason Choi, Head of Research at Spartan Group, a blockchain advisory and investment firm, on the other hand, finds that a newly-created project like this has the power to “incentivize any type of user behavior it wants.”
1/ Today, any project can issue its own token, and immediately imbue it with perceived market value by listing it on Uniswap and enabling price discovery from day 1.
This enables projects to incentivize any type of user behavior it wants.
— Jason Choi (@mrjasonchoi) September 2, 2020