DeFi Savings Security Assurance
DeFiner has the Ethereum Smart Contract written in the Solidity language. These smart contracts are the core components of our non-custodial decentralized savings contracts. To ensure the security and quality of our contracts we are following the following best practices:
Here are our fundamental preparation works for our testing and security assurance.We wrote migration scripts for different network environments to ensure the auto and smooth migration. Also, we have professional developers help creating test cases for both unit and integration tests. Meanwhile, we performed gas cost analysis to control the gas limit. Continuous integration was introduced into every iteration during the development cycle to improve on the code quality and tests coverage.
Migration Scripts for Different Networks
DeFiner writes migration scripts for different networks. This would allow us to quickly deploy our contracts over these networks. These networks include:
- Local Ganache
- Geroli etc.
- Mainnet forked Ganache
Writing Test Cases
We write the test cases in truffle framework to test each functionality of the contracts. For this testing, we are going to use TypeChain along with truffle. TypeChain allows us to write test cases more efficiently and quickly. We would write Unit tests as well as integration tests to ensure the quality of the code.
Gas Cost Analysis
We use the gas cost analyzers to find the gas cost incurred by the functions. This report we can use to improve the gas consumption of the contract functions.
Continuous Integration (CI)
We set up a Continues Integration (CI) environment to test the contracts when there are any new changes that are done in code or in test cases. With this CI integration, we also generate our code coverage reports.
We generate code coverage reports using continuous integration. This helps us achieve more than 80% of the code coverage.
Initial Code Complete (March 8th,2020)
On March 8th,2020, we completed all the functionalities of our DeFi Savings account and started the code freeze. After that, we started to focus on testing and improvement. Unit, integration and systematic testing had been preformed.
We started the unit testing immediately after the freeze of our DeFi Savings code development. This can help us to validate that each unit of the smart contract performs as designed.
We also performed the integration testing where individual units are combined and tested as a group. In this way we can expose faults in the interaction between integrated units.
Systematic Testing with Mainnet forked Ganache
The unit and integration test cases that we write are mostly for local Ganache instance. However, as we are going to use the Compound as an external contract, we also tested our contracts with Mainnet-forked-ganache as well. This would allow us to mimic the Ethereum mainnet behavior of our smart contracts.
Alpha Launch (April 20th,2020)
Security of the Ethereum smart contracts is essential considering the multiple vulnerabilities discovered in the recent past. To improve the security of the contract we have followed the best practices.
We would launch our product on the testnet to allow users and the DeFiner team to test the contracts on the testnet environment. This step would allow us to improve the quality of the code and find the bugs which were not discovered during the previous steps.
After the alpha launch, we invited test users to help us continue improve the quality of the smart contract and perform manual testing.
There are some code linters available for Solidity. We use the “Solhint” and “Solium” to lint our Solidity code. These tools would help our code to improve the quality of the code and remove the minor issues from code.
The Surya tool is helpful in understanding and different behavior of the contracts. We would generate different Surya reports and analyze to ensure the quality of the code. These reports include:
- Inheritance graph for contract architecture and inheritance.
- Mdreport to understand the different modifiers of the contract functions.
We use the following static analysis tools for Solidity language.
These tools would help us in improving the security of our contracts as they report possible vulnerabilities in contract code.
External Security Audit
After completing all the above steps we would go for a third party external security audit of the contracts. We would choose the best external security auditing firm according to our budget and their credentials. After the security audit, we would go for a beta launch.
We will follow the advanced security auditing tools to find corner cases. Echidna is one of the best fuzzer in the market to ensure that the contract’s invariants are working as expected. These tools fuzz the contract with many arbitrary inputs and report any failures of invariants
Pre- Beta launch Bug Bounty
We would launch our bug bounty program before our beta launch. This is to invite all the whitehat hackers to test our contracts and report us if they find any vulnerabilities.
After the external security audit and fuzzing, we would achieve a high level of confidence to assure the security of the smart contract. We would launch the beta version of our product on Ethereum mainnet and open it for general users to try and test our product. At the meantime, we will invite whitehat hackers to continue to improve the quality of the smart contract and organize post-beta launch bug bounty as an on-going activities.
Invite whitehat hackers
Whitehat hackers will be invited to perform penetration testing and in other testing methodologies to ensure the security of DeFi Savings account.
Post - Beta Launch Bug Bounty
After the beta launch, we would open the post-launch bug bounty program. This bug bounty would be an ongoing program.