Difference between revisions of "DeFi Saver"

From CryptoWiki

m (1 revision imported)
 
Line 6: Line 6:


==History==
==History==
==Audits & Exploits==
*[[Bug bounty]] program can be found [https://medium.com/defi-saver/defi-saver-bug-bounty-is-now-live-on-immunefi-56af32d0c220 here] with less than 50K (3-6-2021). [https://www.defisafety.com/app/pqrs/428 Update] (11-5-2022):
''"This protocol offers an active bug bounty of [https://immunefi.com/bounty/defisaver/ $250K]. [[DeFi]] Saver has a [[Total Value Locked (TVL)|TVL]] of $422M, which places their bug bounty at 0.000592% of their TVL."''
*Scored [https://www.defisafety.com/app/pqrs/428 88%] on [[DeFi Safety]] (11-5-2022):
''"There is implicit traceability between software documentation and implemented code. No coverage report found, but there is a relatively complete set of tests. This protocol has not undergone formal verification. [[Consensys]] audited DeFi Saver's Recipes from March 22nd 2021 to April 2nd 2021. In this audit, all non-minor issues were fixed.  [[Dedaub]] audited DeFiSaver Recipes on March 30th 2021 at commit cb29669a. All issues were resolved or dismissed.  Dedaub also audited DeFiSaver's V3 Strategies in December 2021. All issues were low severity or advisory issues. All issues were either closed or dismissed. This protocol is clearly well audited, however we are docking 10% due to their pre-audit deployment."''
With the [https://t.me/c/1453353094/9067 comment]:
''"Your friendly neighborhood protocol scores above 85% in all sections except for testing, leaving some room for improvement for the DeFi management protocol.''
''Unfortunately, the saver we needed but didn't deserve reportedly had half of its testing score evaporate following the Thanos snap. Adding [[testnet]] deployments, test reports, coverage reports, and a formal verification test will repopulate this score.''
''There were also two times when uncle Ben suffered a security incident, as documented in our hack history section. However, due to quick response times, the team was able to DeFi Save users' funds.''
''Meanwhile, the protocol hits all targets in the area of Admin Controls. It clearly documents the upgradeable and [[immutable]] aspects of the software, while simultaneously fully detailing the ownership and timelock parameters. Tony Stark holds no control over this one."''
*Previously [https://defisafety.com/2021/06/03/defi-saver/ scored] 71% (3-6-2021): ''"[[Defi]] Saver has had an [https://github.com/DecenterApps/defisaver-contracts/blob/master/audits/Dedaub%20-%20DeFi%20Saver%20Automation%20Audit%20-%20February%202021.pdf audit] done by Debaub in Feb. 2021, an additional Debaub [https://github.com/DecenterApps/defisaver-v3-contracts/blob/main/audits/Dedaub-Mar-2021.pdf audit] in Mar. 2021, and a [[Consensys]] audit in Mar. 2021. All of the audits had multiple significant issues.  Many were fixed but given the concern we drop the 100% to 70%."'' With the [https://t.me/c/1453353094/3217 comment]: ''"These guys worked hard with us to improve their score.  That kind of effort means security.  Solid guys."''
===Bugs/Exploits===
* [https://www.defisafety.com/app/pqrs/428 From] [[DeFi Safety]] (11-5-2022):
''"Date: 05 Jan 2021''
''Details: Debaub, DeFi Saver's auditor of choice, [https://media.dedaub.com/ethereum-pawn-stars-5-7m-in-hard-assets-best-i-can-do-is-2-3m-b93604be503e found] a vulnerability where users who imported [[Compound]] positions were at risk. Upon the discovery, DeFi Saver rapidly performed a white hack to secure user funds. The discovery and securing process is outlined here: <nowiki>https://blog.defisaver.com/disclosing-a-recently-discovered-vulnerability/</nowiki>. Thanks to the detection and response, this vulnerability was never exploited (other than DeFi Saver's white hack of course). This event is not a hack, but a security incident.''
''Date: 08 Oct 2020''
''Details: DeFi Saver had a [https://medium.com/@david.desjardins_41006/no-defi-saver-did-not-lose-user-funds-1f207c427a8f known vulnerability] which was mitigated but later exploited by a frontrunner. Funds were later returned by the exploiter."''
*[https://weekinethereum.substack.com/p/week-in-ethereum-news-january-10?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozMTE4MDU5OSwiXyI6ImM5eFJuIiwiaWF0IjoxNjEwMzU2MTExLCJleHAiOjE2MTAzNTk3MTEsImlzcyI6InB1Yi0xMDcxIiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.EsqyeNo2iaAl1 From] [[Week in Ethereum]] (11-1-2021):
''"[https://medium.com/dedaub/ethereum-pawn-stars-5-7m-in-hard-assets-best-i-can-do-is-2-3m-b93604be503e Vulnerability] found by [[Dedaub]]’s automated static analysis, [[white hat]] exploited for ~3.5m."''
== Governance ==
===Admin Keys===
* [https://www.defisafety.com/app/pqrs/428 From] [[DeFi Safety]] (11-5-2022):
''"[[Immutable|Immutability]]/upgradability is described [https://docs.defisaver.com/protocol/security-and-audits/admin-access-control here]. The main takeaway for users should be that the DFS Registry and Exchange Wrapper Allowlist [[contracts]] and owned and upgradeable through a [[Multi-Signature|multisig]] owner. This means that although recipe [[Smart Contract (SC)|contracts]] may be mostly immutable, their respective [[Address|addresses]] could be changed in the DFS Registry which essentially renders the recipe [[contract]] upgradable. For all intents and purposes, the protocol is clearly labelled as upgradable. All relevant contracts can essentially be paused. The Owner [[multisig]] can kill contracts Since all the relevant contracts do not hold funds, a contract can be killed without causing a loss of funds. The effect of killing a contract (or reverting in DFSRegistry) is then essentially the same as pausing. There is no evidence of testing this explicitly documented. DeFi Saver documents a 7 day [[timelock]] for core contracts while other contracts used in strategies have a timelock of 1 day."''
*[https://docs.defisafety.com/finished-reviews/defi-saver#audits From] DeFi Safety (3-6-2021):
''"Access controls are clearly labelled in their [https://docs.defisaver.com/protocol/security-and-audits/admin-access-control Documentation]. a) upgradability is indicated clearly for automation [[smart contracts]], and vaguely for protocol smart contracts: 20%. b) Type of ownership is clearly indicated for Automation smart contracts, but not protocol action contracts: 15% c) Capabilities for change in the contracts is not described: 0%.  Pause control not documented or explained."''
===DAO===
===Treasury===
==Token==
==Token==
===Launch===
===Launch===
Line 15: Line 59:
==Technology==
==Technology==


*[[Whitepaper]] can be found [insert here].
*[[Whitepaper]] or docs can be found [https://docs.defisaver.com/ here].
*Code can be viewed [insert here].
*Code can be viewed [https://github.com/defisaver here]. [https://www.defisafety.com/app/pqrs/428 From] [[DeFi Safety]] (11-5-2022):
''"With 679 commits and 19 branches, this is a healthy, active repository."''
*Built on: [[Ethereum]]
*Built on: [[Ethereum]]
*Programming language used:
===Transaction Details===
*Capacity ([[TPS]]):
*[[Latency]]:


===How it works===
===How it works===
===Mining===
===Fees===
===Upgrades===
===Staking===
===Staking===
===Liquidity Mining===
===Liquidity Mining===
===Layer Two===
===Different Implementations===
===Different Implementations===
===Interoperability===
===Interoperability===
===Other Details===
===Other Details===
==Privacy Method being used==
==Oracle Method==
===Compliance===
==Oracle Method being used==
==Their Other Projects==
===DEX===
==Governance==
===Admin Keys===


* [https://docs.defisafety.com/finished-reviews/defi-saver#audits From] [[DeFi Safety]] (3-6-2021):
* [https://www.defisafety.com/app/pqrs/428 From] [[DeFi Safety]] (11-5-2022):


''"Access controls are clearly labelled in their [https://docs.defisaver.com/protocol/security-and-audits/admin-access-control Documentation]. a) upgradability is indicated clearly for automation [[smart contracts]], and vaguely for protocol smart contracts: 20%. b) Type of ownership is clearly indicated for Automation smart contracts, but not protocol action contracts: 15% c) Capabilities for change in the contracts is not described: 0%.  Pause control not documented or explained."''
''"DeFi Saver does not use [[Oracle|oracles]] of their own. Although technically users may interact with [[oracles]] when exchanging, the oracles are delegated to [[Uniswap (UNI)|Uniswap]] or [[Kyber Network (KNC)|Kyber Network]]. All potential for [[Flash Loan|flashloan]] attacks are mitigated through the composing protocols' oracles."''


===DAO===
==Compliance==
===Treasury===
==Their Other Projects==
==Upgrades==
==Roadmap==
==Roadmap==


*Can be found [Insert link here].
*Can be found [Insert link here].
==Audits==
*[[bug bounty|Bug bounty]] program can be found [https://medium.com/defi-saver/defi-saver-bug-bounty-is-now-live-on-immunefi-56af32d0c220 here] with less than 50K (3-6-2021).
*Got a [https://defisafety.com/2021/06/03/defi-saver/ score] of 71% on [[DeFi Safety]] (3-6-2021): ''"Defi Saver has had an [https://github.com/DecenterApps/defisaver-contracts/blob/master/audits/Dedaub%20-%20DeFi%20Saver%20Automation%20Audit%20-%20February%202021.pdf audit] done by Debaub in Feb. 2021, an additional Debaub [https://github.com/DecenterApps/defisaver-v3-contracts/blob/main/audits/Dedaub-Mar-2021.pdf audit] in Mar. 2021, and a [[Consensys]] audit in Mar. 2021. All of the audits had multiple significant issues.  Many were fixed but given the concern we drop the 100% to 70%."'' With the [https://t.me/c/1453353094/3217 comment]: ''"These guys worked hard with us to improve their score.  That kind of effort means security.  Solid guys."''
===Bugs/Hacks===
* [https://weekinethereum.substack.com/p/week-in-ethereum-news-january-10?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozMTE4MDU5OSwiXyI6ImM5eFJuIiwiaWF0IjoxNjEwMzU2MTExLCJleHAiOjE2MTAzNTk3MTEsImlzcyI6InB1Yi0xMDcxIiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.EsqyeNo2iaAl1 From] [[Week in Ethereum]] (11-1-2021):
''"[https://medium.com/dedaub/ethereum-pawn-stars-5-7m-in-hard-assets-best-i-can-do-is-2-3m-b93604be503e Vulnerability] found by [[Dedaub]]’s automated static analysis, white hat exploited for ~3.5m."''


==Usage==
==Usage==
===Projects that use or built on it===
===Projects that use or built on it===
==Competition==
==Competition==
==Coin Distribution==
==Pros and Cons==
==Pros and Cons==
===Pros===
===Pros===
===Cons===
===Cons===
==Team, Funding, Partnerships, etc.==
==Team, Funding, Partners==
===Team===
===Team===


Line 83: Line 102:
Making these free wiki pages is fun but takes a lot of effort and time.
Making these free wiki pages is fun but takes a lot of effort and time.


If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.
If you have enjoyed reading, tips are appreciated:) This will help us to [[keep]] expanding this archive of information.
 
 


[[ETH]] tip [[address]]: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31
[[ETH]] tip [[address]]: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Latest revision as of 08:50, 6 June 2022

Basics

  • Based in:
  • Started in / Announced on:
  • Mainnet release:

History

Audits & Exploits

"This protocol offers an active bug bounty of $250K. DeFi Saver has a TVL of $422M, which places their bug bounty at 0.000592% of their TVL."

"There is implicit traceability between software documentation and implemented code. No coverage report found, but there is a relatively complete set of tests. This protocol has not undergone formal verification. Consensys audited DeFi Saver's Recipes from March 22nd 2021 to April 2nd 2021. In this audit, all non-minor issues were fixed. Dedaub audited DeFiSaver Recipes on March 30th 2021 at commit cb29669a. All issues were resolved or dismissed. Dedaub also audited DeFiSaver's V3 Strategies in December 2021. All issues were low severity or advisory issues. All issues were either closed or dismissed. This protocol is clearly well audited, however we are docking 10% due to their pre-audit deployment."

With the comment:

"Your friendly neighborhood protocol scores above 85% in all sections except for testing, leaving some room for improvement for the DeFi management protocol.

Unfortunately, the saver we needed but didn't deserve reportedly had half of its testing score evaporate following the Thanos snap. Adding testnet deployments, test reports, coverage reports, and a formal verification test will repopulate this score.

There were also two times when uncle Ben suffered a security incident, as documented in our hack history section. However, due to quick response times, the team was able to DeFi Save users' funds.

Meanwhile, the protocol hits all targets in the area of Admin Controls. It clearly documents the upgradeable and immutable aspects of the software, while simultaneously fully detailing the ownership and timelock parameters. Tony Stark holds no control over this one."

  • Previously scored 71% (3-6-2021): "Defi Saver has had an audit done by Debaub in Feb. 2021, an additional Debaub audit in Mar. 2021, and a Consensys audit in Mar. 2021. All of the audits had multiple significant issues. Many were fixed but given the concern we drop the 100% to 70%." With the comment: "These guys worked hard with us to improve their score.  That kind of effort means security.  Solid guys."

Bugs/Exploits

"Date: 05 Jan 2021

Details: Debaub, DeFi Saver's auditor of choice, found a vulnerability where users who imported Compound positions were at risk. Upon the discovery, DeFi Saver rapidly performed a white hack to secure user funds. The discovery and securing process is outlined here: https://blog.defisaver.com/disclosing-a-recently-discovered-vulnerability/. Thanks to the detection and response, this vulnerability was never exploited (other than DeFi Saver's white hack of course). This event is not a hack, but a security incident.

Date: 08 Oct 2020

Details: DeFi Saver had a known vulnerability which was mitigated but later exploited by a frontrunner. Funds were later returned by the exploiter."

"Vulnerability found by Dedaub’s automated static analysis, white hat exploited for ~3.5m."

Governance

Admin Keys

"Immutability/upgradability is described here. The main takeaway for users should be that the DFS Registry and Exchange Wrapper Allowlist contracts and owned and upgradeable through a multisig owner. This means that although recipe contracts may be mostly immutable, their respective addresses could be changed in the DFS Registry which essentially renders the recipe contract upgradable. For all intents and purposes, the protocol is clearly labelled as upgradable. All relevant contracts can essentially be paused. The Owner multisig can kill contracts Since all the relevant contracts do not hold funds, a contract can be killed without causing a loss of funds. The effect of killing a contract (or reverting in DFSRegistry) is then essentially the same as pausing. There is no evidence of testing this explicitly documented. DeFi Saver documents a 7 day timelock for core contracts while other contracts used in strategies have a timelock of 1 day."

  • From DeFi Safety (3-6-2021):

"Access controls are clearly labelled in their Documentation. a) upgradability is indicated clearly for automation smart contracts, and vaguely for protocol smart contracts: 20%. b) Type of ownership is clearly indicated for Automation smart contracts, but not protocol action contracts: 15% c) Capabilities for change in the contracts is not described: 0%. Pause control not documented or explained."

DAO

Treasury

Token

Launch

Token allocation

Utility

Token Details

Stablecoin

Technology

"With 679 commits and 19 branches, this is a healthy, active repository."

How it works

Fees

Upgrades

Staking

Liquidity Mining

Different Implementations

Interoperability

Other Details

Oracle Method

"DeFi Saver does not use oracles of their own. Although technically users may interact with oracles when exchanging, the oracles are delegated to Uniswap or Kyber Network. All potential for flashloan attacks are mitigated through the composing protocols' oracles."

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

Projects that use or built on it

Competition

Pros and Cons

Pros

Cons

Team, Funding, Partners

Team

  • Full team can be found [here].

Funding

Partners

(:

Knowledge empowers us all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated:) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31