Difference between revisions of "Goldfinch Protocol (GFI)"

From CryptoWiki

Line 10: Line 10:
==Audits & Exploits==
==Audits & Exploits==


*[[Bug bounty]] program can be found [insert here].
*This protocol offers an [https://immunefi.com/bounty/goldfinch/ active] [[bug bounty]] of $500K (5-4-2022).
*Scored [https://www.defisafety.com/app/pqrs/424 93%] on [[DeFi Safety]] (5-4-2022):
''"As per the SLOC, there is 329% testing to code (TtC). This protocol does not detail code coverage testing. There is nonetheless evidence of robust testing undertaken on this protocol. Multiple test reports are documented in their Monorepository's CLI. This protocol has not undergone formal verification. This protocol has undergone multiple audits, though it is unclear when the protocol launched. While the token launch is documented, the lending borrowing aspect is of an undocumented time origin. It is that each iteration is being audited nonetheless with V1, V2 and V2.2s all receiving [https://github.com/goldfinch-eng/goldfinch-contracts separate] audits."''
 
* Previously scored 50%. With the [https://t.me/c/1453353094/8218 comment]:
 
''"Goldfinch falls short of a podium place when it comes to process quality. This little bird has achieved a lot but it's clear that more is needed before it is ready to leave momma bird's nest. At 59%, Goldfinch is only 11% short of a passing grade that merits this departure.''
 
''On the surface, Goldfinch has an attractive bug bounty program that will go some way to make the code golden. A pre-deployment audit really polished Goldfinch's shine, and both factors show the protocol’s dedication to delivering safe code to its users.''
 
''Nevertheless, below the surface there is insufficient information relating to [[the DAO]] and team’s upgrade permissions of the Goldfinch smart [[contracts]]. Unclear information regarding the  software enforcement of the voting periods that act as a timelock is also present.''
 
''In addition, their testing requires a little more organisation and development. Their [[Trail of Bits]] audit identified that Goldfinch needs to further expand their testing suite with additions like code coverage and CI, and we concur with this statement. We would also like to point out that this audit also mentions insufficient software architecture documentation. Indeed, we found minimal details regarding the breakdown of Goldfinch’s smart [[contract]] functions apart from a surface-level interactions diagram."''


===Bugs/Exploits===
===Bugs/Exploits===
Line 16: Line 28:
===Admin Keys===
===Admin Keys===


* From their [https://medium.com/goldfinch-fi/introducing-the-goldfinch-protocol-token-gfi-e09579fd9740 blog] (11-1-2022):
* [https://www.defisafety.com/app/pqrs/424 From] [[DeFi Safety]] (5-4-2022):
''"Goldfinch's contracts are clearly identified in this [https://dev.goldfinch.finance/docs/reference/upgradeability location]. Each contract that is either upgradeable or fixed is well explained for users to identify. Goldfinch's [[smart contract]] ownership is adequately detailed as being a 6-of-10 [[MultiSig]]. Change capabilities are clearly identified in each contract's software function documentation. This could be explained in plainer language, but the information is all present. The ability for the DAO to pause [[smart contracts]] is [https://docs.goldfinch.finance/goldfinch/governance detailed]. In addition, there is a good pausability section in their documentation that details which circumstances it should be triggered under. There is no mention on tests. Goldfinch does not use a [[timelock]], and this is explained in their [https://dev.goldfinch.finance/docs/reference/timelock documentation]. This is justified on the grounds that their multisig is sufficiently stringent."''
*From their [https://medium.com/goldfinch-fi/introducing-the-goldfinch-protocol-token-gfi-e09579fd9740 blog] (11-1-2022):


''"The Goldfinch Council is a 6-of-10 [[multisig]] with 10 members who represent all stakeholders of the protocol."''
''"The Goldfinch Council is a 6-of-10 [[multisig]] with 10 members who represent all stakeholders of the protocol."''
Line 67: Line 81:
==Technology==
==Technology==


*[[Whitepaper]] can be found [insert here].
*[[Whitepaper]] or docs can be found [https://docs.goldfinch.finance/goldfinch/ here].
*Code can be viewed [insert here].
*Code can be viewed [https://github.com/goldfinch-eng here]. [https://www.defisafety.com/app/pqrs/424 From] [[DeFi Safety]] (5-4-2022):
''"At an astonishing 3458 commits, this repository is one of the most well maintained testaments to developer history we've ever seen - it is truly golden."''
*Built on: [[Ethereum]]
*Built on: [[Ethereum]]


Line 84: Line 99:
===Other Details===
===Other Details===
==Oracle Method==
==Oracle Method==
==Privacy Method==
 
* [https://www.defisafety.com/app/pqrs/424 From] [[DeFi Safety]] (5-4-2022):
 
''"Goldfinch does not use [[Oracle|oracles]]. This is explained in their documentation [https://dev.goldfinch.finance/docs/reference/oracles/ here]. Instead, their protocol relies on specific non-transferable UID tokens based on identity requirements. [[Frontrunners|Front-running]] is considered in their [https://dev.goldfinch.finance/docs/reference/front-running documentation]. Due to the [[permissioned]] nature of the protocol, [[front running]] is mitigated. This is an impressive breakdown of how this might be countered. Users should feel like this protocol has done a significant amount of security researching - we've never seen this attack vector so carefully considered. Goldfinch is [https://dev.goldfinch.finance/docs/reference/flashloans not vulnerable] to [[Flash Loan|flashloan]] attack. This is because they are mitigated by Goldfinch's design (i.e. a 0.5% withdrawal fee)."''
 
==Compliance==
==Compliance==
==Their Other Projects==
==Their Other Projects==
==Roadmap==
==Roadmap==


*Can be found [Insert link here].
*Can be found [Insert [[LINK|link]] here].
==Usage==
==Usage==


Line 121: Line 140:


*Full team can be found [here].
*Full team can be found [here].
*[https://www.defisafety.com/app/pqrs/424 From] [[DeFi Safety]] (5-4-2022):
''"[[MANY|Many]] contributors to Goldfinch are public and they cross-confirm their commitment to the protocol on personal social media."''


===Funding===
===Funding===

Revision as of 08:29, 6 June 2022

“Goldfinch is a decentralized credit platform that broadens the pool of potential lenders beyond just banks,” Simpson of Goldfinch investor a16z posted.

Basics

History

Audits & Exploits

"As per the SLOC, there is 329% testing to code (TtC). This protocol does not detail code coverage testing. There is nonetheless evidence of robust testing undertaken on this protocol. Multiple test reports are documented in their Monorepository's CLI. This protocol has not undergone formal verification. This protocol has undergone multiple audits, though it is unclear when the protocol launched. While the token launch is documented, the lending borrowing aspect is of an undocumented time origin. It is that each iteration is being audited nonetheless with V1, V2 and V2.2s all receiving separate audits."

  • Previously scored 50%. With the comment:

"Goldfinch falls short of a podium place when it comes to process quality. This little bird has achieved a lot but it's clear that more is needed before it is ready to leave momma bird's nest. At 59%, Goldfinch is only 11% short of a passing grade that merits this departure.

On the surface, Goldfinch has an attractive bug bounty program that will go some way to make the code golden. A pre-deployment audit really polished Goldfinch's shine, and both factors show the protocol’s dedication to delivering safe code to its users.

Nevertheless, below the surface there is insufficient information relating to the DAO and team’s upgrade permissions of the Goldfinch smart contracts. Unclear information regarding the  software enforcement of the voting periods that act as a timelock is also present.

In addition, their testing requires a little more organisation and development. Their Trail of Bits audit identified that Goldfinch needs to further expand their testing suite with additions like code coverage and CI, and we concur with this statement. We would also like to point out that this audit also mentions insufficient software architecture documentation. Indeed, we found minimal details regarding the breakdown of Goldfinch’s smart contract functions apart from a surface-level interactions diagram."

Bugs/Exploits

Governance

Admin Keys

"Goldfinch's contracts are clearly identified in this location. Each contract that is either upgradeable or fixed is well explained for users to identify. Goldfinch's smart contract ownership is adequately detailed as being a 6-of-10 MultiSig. Change capabilities are clearly identified in each contract's software function documentation. This could be explained in plainer language, but the information is all present. The ability for the DAO to pause smart contracts is detailed. In addition, there is a good pausability section in their documentation that details which circumstances it should be triggered under. There is no mention on tests. Goldfinch does not use a timelock, and this is explained in their documentation. This is justified on the grounds that their multisig is sufficiently stringent."

  • From their blog (11-1-2022):

"The Goldfinch Council is a 6-of-10 multisig with 10 members who represent all stakeholders of the protocol."

DAO

"The protocol is now governed by the community via the Goldfinch Council and the community can actively participate in governance at gov.goldfinch.finance"

Treasury

Token

Launch

Token Allocation

  • From their blog (11-1-2022):

"Tokens have been allocated to over 13K participants in the protocol, including retroactive distributions for Liquidity Providers in the Senior Pool and Flight Academy participants.

The allocations of GFI should reflect the value of contributors thus far while incentivizing all participants in the community to help grow the protocol. The initial allocation of the total supply of GFI are as follows:

  1. Liquidity Providers (16.2%)
  2. Backers (8.0%)
  3. Auditors (3.0%)
  4. Borrowers (3.0%)
  5. Community Treasury (14.8%)
  6. Early and Future Team (28.4%)
  7. Warbler Labs (4.4%)
  8. Early Supporters (21.6%)

There is currently no inflation, but we expect it will be beneficial for the protocol to incorporate modest inflation after 3 years in order to incentivize future active participants. Ultimately this will be up to the community to discuss and decide."

Utility

  • From their blog (11-1-2022):
  1. "Community Governance: GFI holders participate in governance to decide on the direction of the protocol. This is now live at gov.goldfinch.finance. Community votes will guide the decisions of the Goldfinch Council, described in more detail below.
  2. Backer Staking: Backers can stake their GFI tokens on particular Backers in order to signal consensus ahead of time when those Backers participate in borrower pools. This GFI also serves as a backstop against potential loan defaults.
  3. Auditor Votes: Auditor votes are required to grant Borrowers permission to borrow from the protocol. Borrowers pay for these votes with the GFI token.
  4. Auditor Staking: Auditors stake the GFI token in order to be selected to participate in Auditor Votes.
  5. Participant Incentives: All participants receive ongoing distributions to incentivize their participation. This includes Liquidity Providers who supply to the Senior Pool, Backers who both supply to Borrower Pools and stake on other Backers, Auditors who stake to participate in votes, and Borrowers who successfully repay their pools.
  6. Community Grants: The community can decide to provide grants to participants that meaningfully contribute to the Goldfinch protocol and ecosystem."

Other Details

Stablecoin

Coin Distribution

Technology

"At an astonishing 3458 commits, this repository is one of the most well maintained testaments to developer history we've ever seen - it is truly golden."

How it works

"The protocol works by extending credit lines to lending businesses. These businesses draw down stablecoins from Goldfinch’s token pool, and then they exchange it for fiat and deploy it on the ground in their local markets. On the investor side, crypto holders can deposit into the pool to earn yield. Lending businesses’ interest payments to the protocol are immediately disbursed to all investors."

Fees

Upgrades

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

Other Details

Oracle Method

"Goldfinch does not use oracles. This is explained in their documentation here. Instead, their protocol relies on specific non-transferable UID tokens based on identity requirements. Front-running is considered in their documentation. Due to the permissioned nature of the protocol, front running is mitigated. This is an impressive breakdown of how this might be countered. Users should feel like this protocol has done a significant amount of security researching - we've never seen this attack vector so carefully considered. Goldfinch is not vulnerable to flashloan attack. This is because they are mitigated by Goldfinch's design (i.e. a 0.5% withdrawal fee)."

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

"On April 26, Goldfinch’s loanbook hit $100M. Last February, the protocol had $1M in loans."

  • From their blog (11-1-2022):

"We’re already seeing the beginnings of this. Active loans on the protocol doubled every two months in 2021, up 154X from $250K a year ago to now $39M that is financing 200K+ borrowers across 18 countries. This capital is being used for a wide range of productive uses from motorcycle taxis in Kenya, to small businesses in Brazil, to eco-friendly cookstoves for low-income households in India — just to name a few. All of this growth is thanks to the incredible Goldfinch community. To date, 35K+ people have completed KYC and 5K+ people are actively participating as Liquidity Providers and Backers through the protocol. Plus, the Goldfinch Discord has quickly grown to a lively community of 45K+ people from all over the world."

Projects that use or built on it

"Said it’s working with PayJoy in Mexico, Aspire in Southeast Asia, and QuickCheck in Nigeria, which have collectively drawn down $1M from the Goldfinch protocol and deployed it to thousands of their end borrowers."

Competition

“Goldfinch is offering these real loans that are tied to real world activity [and] still has really good yields,” co-founder West told The Defiant.

He noted that yields on protocol Compound Finance are around 2% while Goldfinch’s senior tranche is more than 8%. The protocol offers the senior tranche to passive investors and a higher yielding junior tranche to “backers” who actually propose and negotiate with borrowers on a per-investment basis.

West said projects like Centrifuge, Maple Finance, and TrueFi are making moves in the unsecured loan space. He contends “unsecured,” meaning the loan isn’t collateralized, is a misnomer because the debt is backed by off-chain assets."

Pros and Cons

Pros

Cons

Team, Funding, Partnerships, etc.

Team

"Many contributors to Goldfinch are public and they cross-confirm their commitment to the protocol on personal social media."

Funding

  • From their blog (6-1-2022):

"Announced an additional $25M in funding, led by Andreessen Horowitz (a16z crypto).Newcomers include Bill Ackman, Blocktower, Kingsway Capital, Helicap, YC Alumni Fund, Jinglan Wang, MSA Capital, and more. All prior investors in Goldfinch participated as well, including Kindred Ventures and Stratos Technologies."

"Goldfinch today also announced it has received $1M in funding from investors including Kindred Ventures, Coinbase Ventures, IDEO CoLab Ventures, Stratos Technologies, Variant Fund, Alex Pack, and Robert Leshner."

Partners

(:

Knowledge empowers us all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.