Safety Second: Top DeFi Projects By Highest Audit Scores
The anonymous DefiSafety team looked into popular decentralized finance (DeFi) projects and their codes, scoring each platform, and finding that six have overall scores above 80%, with Synthetix Exchange leading the list. SushiSwap, on the other hand, got a score of less than 20%.
As said, the team behind the report is anonymous, but yearn.finance (YFI) developer Andre Cronje described their work as "a great public source" while their website shows recommendations from other security experts, such as John Mardlin, Security Engineer at Consensys Dilligence, also.
On their website, DefiSafety provides an explanation of what a DeFi audit is, what the process entails, what questions/categories are looked into when doing an audit, and why an audit is needed. "DeFi asks us to trust smart contracts, rather than companies, governments or individuals. They ask you to trust the code," said the team behind the report, adding that they checked the code, how it was developed, and tested, providing the results.
Per their report, out of the seventeen currently listed, there are six top-scoring projects, if we look at those with a score of 80% and above. "The % score is how close to perfect they follow process and quality best practices," the report said.
- Synthetix Exchange with an overall score of 96% takes the first spot on the auditors' list, and it's the only one with a score above 90%. As for the four individual categories, it got 100% in executing code verification, 92% in documentation, 87% in testing, and 100% in audit - with the team providing more details for each of the scores.
- Compound, with an overall score of 88%, is second; it was at the start of the latest yield farming craze, at one point becoming the most valuable token in the DeFi space.
- Uniswap DEX has a score of 86%. Per DeFi Pulse, it's currently the largest DeFi platform by total value locked, with 19.56% dominance.
- MakerDAO has an overall score of 85%.
- Aaave follows it closely, with 84%. As reported, at one point, Aave flipped Maker, as the largest DeFi platform by total value locked.
- Opyn Protection is the last in this group, with a score of 80%.
As for the other platforms, dYdX stands at 77%, and it's followed by Balancer Finance with 74%. Balancer's lowest score was in executing code verification, getting 57%. Balancer followed Compound into the spotlight quickly, recording major price increases along the way. In late June, Balancer got hacked, reportedly with USD 500,000 worth of crypto stolen. The attack entailed taking a flash loan in ethereum (ETH) from dYdX.
Curve Finance got a score of 68%. Curve's 'verification' category got marked with the color red, having gotten a score of just 13%. Its 'testing' is above 50%, and other two categories above 90% each. The project itself was launched prematurely by an anonymous developer, then adopted by the team behind it. In the second half of August, news broke that the project founder took some 71% of the voting power.
Next up is also a much-discussed project and the latest newcomer to DeFi Safety's list with a score of 66% - yearn.finance. The lowest score it got is 45% in documentation. The platform and its YFI token have been hard at work it seems, given that yearn.finance now has a whopping USD 884 million, though it suffered a 3.6% loss in the last 24 hours, placing it fifth on the list, before Synthetix and after Curve. Recently, the platform launched its yETH vault.
Instadapp got 55%, Spaghetti Pasta 43%, NUO Network 28%, and YAM Finance 25%. As for YAM, the report said that this is the first version, the one "with [a] bug." As previously reported, YAM was soaring high for several days, despite its creators warning about the dangers that come with unaudited projects. However, the team discovered that a code bug would "interact with the governance module" and prevent a proposal that could've saved the project from failing. But its second version was announced right away.
The latest newcomer to the DeFi space, SushiSwap, got a low overall grade of 19%. When it comes to individual components making that grade, its testing has 50%, documentation is 20%, executing code validation 14%, and audit 0%.
As reported, SushiSwap warned its supporters that it's unaudited, and it's in search for auditors. One blockchain security firm replied to the call, Quantstamp, discovering ten issues the platform is facing. These include failure to prevent the same liquidity provider token from being added more than once, and a vulnerability that could potentially allow the theft of funds, among others, though none were found to be critical.
Also, SushiSwap creator 'Chef Nomi' previously said that 10% of every minted Sushi will be set aside for future development, adding: "No VC, only community fund." However, the report stated that it's actually "1/11 = 9% of the total sushi distribution," instead of 10%.
Moreover, partner at Cinneamhain Ventures, Adam Cochran, looked into the project, saying that, while he initially presumed that the developer fund was going to a wallet locked by either a governance vote or a time lock, it was actually a wallet to which Chef Nomi has the keys for.
2/6— Adam Cochran (@AdamScochran) September 1, 2020
It seems however it is just a generic wallet that the SushiSwap admin has keys for.
That means without warning you could be dumped on.
Now, I've been impressed with the results of SushiSwap and the teams professionalism so far, but, let's take a step back
Lastly, per the DeFi Safety report, bZx Trading's first, hacked version got 17%, and Based has 10%.
Meanwhile, there are reports that another project named after a tasty food item, KIMCHI - seemingly supported by Arthur Hayes - was experiencing issues. A commenter looking into the project's code was saying that, while "the [SUSHI] owner has 10% of the sushi supply," with KIMCHI allegedly "the dev is able to create unlimited supply and suck dry the entire supply, and probably will."
Jason Choi, Head of Research at Spartan Group, a blockchain advisory and investment firm, on the other hand, finds that a newly-created project like this has the power to "incentivize any type of user behavior it wants."
1/ Today, any project can issue its own token, and immediately imbue it with perceived market value by listing it on Uniswap and enabling price discovery from day 1.— Jason Choi (@mrjasonchoi) September 2, 2020
This enables projects to incentivize any type of user behavior it wants.