Difference between revisions of "InstaDapp (INST)"

From CryptoWiki

Line 22: Line 22:
== Audits & Exploits ==
== Audits & Exploits ==
* No bug bounty according to [[Blockchain Security DB]] (29-6-2020), which does show 1 [https://consensys.github.io/blockchainSecurityDB/ audit] (9-2019). [https://www.defisafety.com/app/pqrs/65 Update]: Instadapp's [[bug bounty]] program rewards up to $50,000 and is [https://immunefi.com/bounty/instadapp/ active] (21-9-2021).  
* No bug bounty according to [[Blockchain Security DB]] (29-6-2020), which does show 1 [https://consensys.github.io/blockchainSecurityDB/ audit] (9-2019). [https://www.defisafety.com/app/pqrs/65 Update]: Instadapp's [[bug bounty]] program rewards up to $50,000 and is [https://immunefi.com/bounty/instadapp/ active] (21-9-2021).  
*Scored 72% on [[DeFi Safety]] (21-9-2021), with the [https://t.me/c/1453353094/5458 comments]:
*Scored [https://www.defisafety.com/app/pqrs/463 85%] on [[DeFi Safety]] (30-8-2022):
''"As per the SLOC, there is 393% testing to code (TtC). InstaDapp displays test reports in their GitHub Actions tab, such as [https://github.com/Instadapp/dsa-contracts/runs/8120748031?check_suite_focus=true here]. InstaDapp has not undergone [[Formal Verification|formal verification]]. While Peckshield's V2 version seems to be the most recent audit available, there are only 1 audit performed before deployment of the current version of InstaDapp. The other audits [https://github.com/Instadapp/dsa-contracts/tree/master/audits such] as [[Samczsun|Samczsun's]] do not provide enough information to confirm subsantial auditing."''
*Previously scored 72% (21-9-2021), with the [https://t.me/c/1453353094/5458 comments]:
''"What's in the audit report?''
''"What's in the audit report?''


Line 55: Line 57:
=== Admin Keys ===
=== Admin Keys ===


*[https://www.defisafety.com/app/pqrs/65 From] [[DeFi Safety]] (21-9-2021):
*[https://www.defisafety.com/app/pqrs/65 From] [[DeFi Safety]] (30-6-2022):
''"InstaDapp clearly labels the protocol's functionalities as being upgradeable in the Introduction section [https://docs.instadapp.io/#introduction here]. Ownership is indicated as OnlyOwner for dsa-contracts in the code and governance proposals are set as [[Multi-Signature|MultiSig]] in their documentation. The smart contract change capabilities are not covered by the documentation, there is only mention of the upgradeability with no specification. There is no Pause Control documentation available on the developer documentation. The protocol identifies a [[timelock]] and a duration of 10 days in their timelock.sol contract. As specified [https://github.com/Instadapp/dsa-governance/blob/main/contracts/Timelock.sol here], the timelock is a minimum of 2 days to a maximum of 30 days, which is well above the appropriate length."''
*[https://www.defisafety.com/app/pqrs/65 From] DeFi Safety (21-9-2021):
''"The OpenZeppelin audit contains information detailing the access controls, but this was not mentioned in the [https://forum.openzeppelin.com/t/instadapp-audit/1370 docs]. There is also additional DAO information in their blog article about [https://blog.instadapp.io/protocol-and-governance governance].''
''"The OpenZeppelin audit contains information detailing the access controls, but this was not mentioned in the [https://forum.openzeppelin.com/t/instadapp-audit/1370 docs]. There is also additional DAO information in their blog article about [https://blog.instadapp.io/protocol-and-governance governance].''


Line 150: Line 154:
*Docs can be viewed [https://docs.instadapp.io/ here].
*Docs can be viewed [https://docs.instadapp.io/ here].
*Code can be viewed [https://github.com/instadapp here]. [https://www.defisafety.com/app/pqrs/65 From] [[DeFi Safety]] (21-9-2021):
*Code can be viewed [https://github.com/instadapp here]. [https://www.defisafety.com/app/pqrs/65 From] [[DeFi Safety]] (21-9-2021):
''"There are 431 commits and 4 branches, making Instadapp's repository healthy."''
''"There are 431 commits and 4 branches, making Instadapp's repository healthy."'' [https://www.defisafety.com/app/pqrs/463 Update] (30-6-2022): ''"Instadapp's dsa-connectors repository records a total of 1196 commits and 5 branches"''
*Built on: [[Ethereum]], [[Polygon (MATIC)|Polygon]] and [[Arbitrum]]
*Built on: [[Ethereum]], [[Polygon (MATIC)|Polygon]] and [[Arbitrum]]. [https://www.defisafety.com/app/pqrs/463 Added] [[Avalanche (AVAX)|Avalanche]], [[Fantom (FTM)|Fantom]] and [[Optimism (OP)|Optimism]] (30-6-2022).
*Programming language used: [[JavaScript|Javascript]] ([https://instadapp.io/ 23-2-2021]). From their [https://discuss.instadapp.io/t/general-faqs-instadapp-docs/45/16 FAQ] (20-7-2020): ''"Unfortunately, the SDK is only in [[Javascript]] right now, however you can interact with the contracts directly in the [[web3]] library."''
*Programming language used: [[JavaScript|Javascript]] ([https://instadapp.io/ 23-2-2021]). From their [https://discuss.instadapp.io/t/general-faqs-instadapp-docs/45/16 FAQ] (20-7-2020): ''"Unfortunately, the SDK is only in [[Javascript]] right now, however you can interact with the contracts directly in the [[web3]] library."''


Line 228: Line 232:


== Oracle Method==
== Oracle Method==
* [https://www.defisafety.com/app/pqrs/65 From] [[DeFi Safety]] (30-6-2022):
''"InstaDapp explains why their Smart Wallet service is not susceptible to [[oracle]] attacks. InstaDapp escribes why the Smart wallet is not vulnerable to [[Frontrunners|front running]] attacks [https://docs.instadapp.io/flashloan/contracts#utilizing-protocols-through-instadapp here]. InstaDapp offers a flash loan functionality and describes why the Smart wallet is not vulnerable to [[Flash Loan|flash loan]] attacks [https://docs.instadapp.io/flashloan/contracts#utilizing-protocols-through-instadapp here]."''


== Privacy Method==
== Privacy Method==

Revision as of 09:03, 13 October 2022

Basics:

"InstaDApp is a DeFi portal that aggregates the major protocols using a smart wallet layer and bridge contracts, making it easy for users to make the best decisions about assets and execute previously complex transactions seamlessly."

"InstaDApp is a smart wallet with an intuitive interface built on top of popular DeFi projects like MakerDAO, Compound, Uniswap, etc. for managing assets. It’s optimized for users lacking advanced technical or financial experience. InstaDApp allows users to perform complex actions like leveraging or saving by buying or selling collateral in a single transaction. One of InstaDApp's most popular features is its Bridge which allows users to migrate debts between Maker Vaults and Compound Finance. Other features include the option to lend assets or add liquidity to Uniswap pools."

History

"Ever since we were in our teenage years, we have started participating in the Indian stock market and discussing finance on blogs and forums like Quora, generating millions of hits to date. We then went on to building software to simplify stock market investing and investing in crypto.

Eventually, we dropped out of school to become full-on “native defi”. A big reason was we realized that the traditional finance systems we were studying in school were slow to innovate, extremely restrictive, tightly controlled by financial giants, and bound by geographical constraints.

Ever since these realizations, we began shifting our efforts from traditional fintech and markets into the open world of decentralized finance. After participating and winning EthIndia one year ago, we received a grant from Kyber Network to start work on what will become Instadapp today."

Audits & Exploits

"As per the SLOC, there is 393% testing to code (TtC). InstaDapp displays test reports in their GitHub Actions tab, such as here. InstaDapp has not undergone formal verification. While Peckshield's V2 version seems to be the most recent audit available, there are only 1 audit performed before deployment of the current version of InstaDapp. The other audits such as Samczsun's do not provide enough information to confirm subsantial auditing."

  • Previously scored 72% (21-9-2021), with the comments:

"What's in the audit report?

PeckShield’s most recent audit was conducted in March, 2021 and found 1 medium risk and 1 low risk issue. They found Instadapp to be well organised and that the issues identified had been dealt with. This audit is very short, at barely 15 pages. Overall, Instadapp’s smart contracts were perceived to be safe.

Is there any admin control information?

An OpenZeppelin audit contains information detailing admin controls. Instadapp is currently in the process of decentralising, and so greater admin control is slowly being handed to the DAO. A blogpost details the upgradeability of contracts.

To conclude, Instadapp has respectable software documentation with software functions being covered, though more information on admin access controls is needed. More evidence of testing would develop their github further. A better defined roadmap on how its DAO will eventually function would also benefit Instadapp’s transparency. More documentation is required in order to improve this protocol’s process transparency. However, it is certainly an improvement from their previous iteration."

  • From their blog (6-4-2021):

"We have also completed our first Audit with Peckshield with no severity. The audit report is hosted here."

  • Previously scored a 51% on DeFi Safety (9-2020); "Two audits are mentioned in the security section of the docs. The audit from samcunz is brief, but his reputation is very strong. The audit from peckshield was corrupt, but we received a copy so score revised to 100%" This was later upgraded to 58%.
  • The Smart Account contracts are audited by (19-3-2020) Peckshield and by (3-2020) Samczsun. Commentary of Saczsun:

"In total, 1 undetermined, 0 high, 3 medium, 4 low, and 2 informational findings were documented. Additionally, 9 recommendations were made.

InstaDApp resolved all undetermined, medium, and low severity findings and applied some of the recommendations. The remaining findings and recommendations were discussed at length during which compelling and satisfactory reasoning for why they were unaddressed were given."

"Once the core contracts are deployed, all of the DSA transactions are secured by default, since no new smart contracts are deployed to build any kind of DeFi operations, which vastly simplifies and removes attack vectors."

Bugs/Exploits

  • From a thread in which a white hacker found a bug around timelocks and many projects being susceptible to it (24-9-2022):

"I reported it as high severity, since if we received this kind of report at OUSD, we would have classified it as that and made a payout to the whitehat of $25,000. The biggest project of all that had the issue was Instadapp, with 2.3 billion in funds when I reported. They revoked the permission the next day, but didn't respond for days after that. Instadapp marked the severity as low, and paid $500.

Instadapp's affected timelock controlled the code run when users interacted with their invested funds. This would have allowed an attacker to drain all invested and approved funds for a user when they used their Instadapp account. This was not Instadapp's main timelock, so Instadapp could have regained control a few days later. The affected timelock had a one second minimum delay, meaning an attack could have started taking user funds one block after being launched.

@Instadapp reevaluated this bounty and increased their payout on this from $500 to $10,000. Appreciated. They also increased their critical/high bounties on @immunefi this week from $50,000/$5,000 to $250,000/$100,000."

Governance

Admin Keys

"InstaDapp clearly labels the protocol's functionalities as being upgradeable in the Introduction section here. Ownership is indicated as OnlyOwner for dsa-contracts in the code and governance proposals are set as MultiSig in their documentation. The smart contract change capabilities are not covered by the documentation, there is only mention of the upgradeability with no specification. There is no Pause Control documentation available on the developer documentation. The protocol identifies a timelock and a duration of 10 days in their timelock.sol contract. As specified here, the timelock is a minimum of 2 days to a maximum of 30 days, which is well above the appropriate length."

  • From DeFi Safety (21-9-2021):

"The OpenZeppelin audit contains information detailing the access controls, but this was not mentioned in the docs. There is also additional DAO information in their blog article about governance.

All contracts are clearly labelled as upgrade able (or not) -- 30% -- the docs detail which contracts are upgradeable. - The type of Ownership is clearly indicated as MicroDAO has partial ownership - The capabilities for change in the contracts are described -- 30% -- contract upgradeability will be decided by the DAO.

Pause control information could not be found."

"InstaDapp smart wallets do not have an admin key. While there is no admin key risk with MakerDAO, there are other kinds of risks including the admin key risk that it inherits from other platforms that it integrates with, such as Compound."

"Current Admin Key Config- Time Lock: No admin key or upgrade abilities

Current Admin Key Config- Multisig: No admin key or upgrade abilities

Claimed Admin Key OpSec: N/A

Verified Admin Key OpSec: N/A

Is security of deposited funds dependent on opsec of admin key?: No

Admin Key Address: N/A

Documentation on Admin Key Powers: N/A

Additional Info (if any)? Systematic risk via Compound admin key"

DAO

"In updating to v2 of the Defi Smart Accounts (DSA), we are also introducing account upgradability, which will also give the DAO a large number of options to add deep functionality for users, including them to automatically offer their unused assets for various types of usages, including flash loans, yield farming, porting of assets in both L1 & L2 and gain returns on them. This will significantly extend both the power of the DAO, as well as utility to DSL users.

The initial governance will be made up of the Instadapp team and investors. We expect the decentralization of governance power to happen immediately at launch, through a combination of liquidity mining, developer incentives and delegation to selected teams."

"Contract upgrades are executed and managed by the governance token contract, token holders will vote on system upgrades, platform parameters and other code changes."

Treasury

"Token holders will manage the allocation of Ecosystem funds and the DAO's treasury to be utilised for building partnerships, liquidity, integrations and any other funding that maybe needed by the DAO and community."

Token

  • InstaDApp had no native token and currently (23-2-2021) charges no fees. This all changed with the annoucement of DSL, which introduced a governance token.

Launch

"We expect the DAO / token launch and corresponding distribution to start in March."

Token Allocation

"We expect the following distribution of tokens at launch:

  1. 45% of initial supply for team, investors and new team members.
  2. 55% for ecosystem growth, including liquidity mining, new ecosystem partners, developer mining and delegates.

Token supply will be locked until sufficiently decentralized, where DAO can approve when token supply changes."

  • From their blog (6-4-2021):
  1. "A portion of the governance tokens will be distributed amongst Instadapp's existing shareholders initially (which includes team and investors), forming the Micro DAO.
  2. The majority of genesis INST will be allocated to building the developer ecosystem and community and will not participate in governance until distributed to the users and community.
  3. The core team will manage the system at first until the on-chain voting and contract upgradability is operating as intended. After ensuring everything is on track, the core team transfers the protocol ownership to the governance and activates on-chain voting allowing the token holders to propose changes to the protocol, vote, and delegate.
  4. This will also initiate the INST distribution to the protocol users. The initial distribution will be non-transferable, except for the genesis address. Once on-chain voting is activated, the community as a whole can come together to flip the transferability switch.

You can expect this to happen in Q2"

"As a requirement to receive it, users needed to upgrade their accounts to the latest version. In two weeks, over 30% of all TVL on Instadapp has migrated to the upgraded accounts."

Utility

"Token holders will have immediate access to whitelisting accessible protocols, implement fees, finance the ecosystem development from treasury funds, and potentially open up the gateways for L2 migrations. A portion of the fees, charged by the interfaces using the DSL accounts or new protocols being built on the platform, will accrue to the token."

Other Details

Stablecoin

Coin Distribution

Tech

"There are 431 commits and 4 branches, making Instadapp's repository healthy." Update (30-6-2022): "Instadapp's dsa-connectors repository records a total of 1196 commits and 5 branches"

How it works

"InstaDApp uses smart contracts to secure the transactions and your assets are stored on Contract Wallet. Therefore, all transactions are traceable and irreversible. Smart Contracts are operated on algorithmic logic, which is formulated with accuracy and precision. You can view everything publicly. We do not hold any of your assets."

"All of our basic platform interactions are free to use. However, you must have enough ETH while carrying out transactions to pay your gas fee."

"InstaDapp creates each user a unique smart contract wallet where you can manage new and existing Vaults, assets in Compound, and Uniswap liquidity pools."

"100% trustless. We ensures that there is no way to access your funds to make it as robust and secured as possible."

Fee Mechanism

Upgrades

Staking

Liquidity Mining

Scaling

  • From their blog (17-2-2021):

"We intend to help solve these problems [gas fees] by allowing Instadapp users to seamlessly migrate their assets and use L2 on the same UX but with much lower gas. Besides, we aim to help bridge liquidity - by aggregating across various lending & swap protocols and by porting over - allowing users to bring unused liquidity over to L2 easily."

Interoperability

Different Implementations

Other Details

DeFi Smart Account (DSA) contracts.

"Most users interact with DeFi through wallets, which were mainly designed for tokens. Instadapp wants to improve that experience with a platform which “provides a single point of integration to access all the DeFi elements.”"

"DeFi Smart Accounts are contract accounts trustlessly owned by users, designed to allow developers to build extensible products and business models on top of DeFi with maximum security and composability.

DSA is powerful because it can easily be extended with connectors and developers will be able to string together the available actions in the connectors to create innovative new transactions in a single transaction.

The Protocol Bridge and Migration Bridge that created great usability in refinancing, took Instadapp about a month to build, whereas now with the help of DSA you can do it within 5 minutes.

Complex and important DeFi use cases like interoperability, solidity smart contracts (sometimes very complicated) are a basic necessity, resulting in a longer learning curve, complex and rigid code after deployment, and lots of potential vulnerabilities. Which is all cut down to just a few minutes of coding, with a few lines of javaScript (no solidity) - all of which is possible on the DSA platform."

DeFi Smart Layer (DSL)

"DSL consists of a smart contract account standard, composable connectors to base DeFi protocols, and an authorization framework that allows extremely modular permissions.

  1. Smart Accounts, which are the upgradable contract accounts, trustlessly owned by users. Assets are stored here and DSAs can execute composed transactions across connectors.
  2. Connectors, which are standardized modules that interact with the various protocols, make important actions accessible to smart accounts. Developers can compose complex DeFi transactions across protocols using pure Javascript.
  3. Authority, which users can use to set guardians, managers or automation bots to manage their DSA. Permissions can be modular down to connector levels. For example, users can allow specific addresses to rebalance their assets to minimize interest payment or maximize yields, but nothing else.

Users will be accessing the DSL via several channels, including on the Instadapp portal, 3rd party dapps and wallets/UIs that use smart accounts. DSL aims to aggregate across DeFi protocols and abstracts away the complexity for users and developers. This creates a set of important benefits to the development of DeFi, including:

  1. Instant javascript access to all of DeFi, including composing use cases across protocols with zero smart contract deployment.
  2. Ease of developing crucial features like social recovery and customized permissions.
  3. Aggregate liquidity across smart accounts and base protocols to leverage it for flash loans, growing L2 environment.
  4. Build new revenue streams and networks from automating or helping users delegate their DeFi activities, and adding their fee structures.
  5. All DSL transactions are secure by default, since no new smart contracts are deployed, which vastly simplifies and removes attack vectors.

By removing the key technical, security and upgradability barriers to building DeFi, we aim to make DSL the easiest place for mainstream developers to embark on this journey."

Oracle Method

"InstaDapp explains why their Smart Wallet service is not susceptible to oracle attacks. InstaDapp escribes why the Smart wallet is not vulnerable to front running attacks here. InstaDapp offers a flash loan functionality and describes why the Smart wallet is not vulnerable to flash loan attacks here."

Privacy Method

"You can access InstaDApp from anywhere in the world provided you have access to your private key and internet."

  • From their Privacy page (23-2-2021):

"We do not automatically collect Personal Information when you conduct transactions on the Ethereum network using our Services, and we do not use any automatic tracking technologies in these parts of our Services unless you explicitly agree. We will never ask you to share your private keys to your Wallet or other security information that could be used to access your Wallet without your explicit consent and action."

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

"The team plans to add tie-ins with other protocols and additional features as it continues toward its goals of becoming a decentralized bank and driving mainstream adoption of DeFi."

  • From their blog (17-2-2021):

"DeFi Smart Layer (DSL) is a financial infrastructure layer for the decentralized internet, to make accessing and maximizing DeFi easy for all users and developers. DSL consists of a smart contract account standard, composable connectors to base DeFi protocols, and an authorization framework that allows extremely modular permissions.

By tokenizing and opening up governance, we aim to incentivize collaboration and drive participation amongst the 3 key groups of stakeholders - Users, Developers and DeFi Protocols."

Usage

"our protocol bridge saw explosive growth, growing the value locked in our smart contracts by 9 times, from $4M to over $35M. We are now #3 in total value locked after MakerDAO and Compound."

7.9K smart wallets, $82.5M+ collateral and $29M borrowed.

  • Has a Compound <> Maker bridge:

"The success of this bridge resulted in our first major growth spike, from 10K ETH to more than 150K ETH, validating our belief that portability between DeFi protocols is an extremely important feature in this space. Also, the Protocol Bridge turns out to be the #1 MKR burner the most number of MKR."

  • From this blog (29-4-2020):

"Three users are responsible for ~80% of all user deposits on InstaDApp."

"Instadapp’s flashloan (InstaPool) facilitated approximately $1.3B in flash loans for features like the Refinancing Tool, Leverage, and Debt Swap. The resulting flashloan volumes from InstaPool were roughly twice as high as previous editions. (Source)

More than 9000 DeFi Smart Accounts (DSAs) have been created, and several people are increasingly utilizing the platform to farm tokens and earn yield. Around 4000 more DSAs were created from the previous editions to this date. (Source)"

"More than 18.5k DSAs have been created. Around 9000 more DSAs were created from the previous editions to date. Instadapp’s flashloan (InstaPool) facilitated approximately $3.3B in flash loans for features like the Refinancing Tool, Leverage, and Debt Swap. Flashloan volume roughly doubled from previous editions to date. Around $698M of the volume was swapped from previous editions to date."

  • According to its website (23-2-2021) it manages $1,808,689,536 worth of crypto.
  • From Our Network #67 (17-4-2021):

"Instadapp has grown to over $2.5B in assets under management, making it currently the 7th largest DeFi DApp by holdings. Instadapp currently holds 1.03% of all circulating Ethereum. Instadapp’s flashloan, InstaPool, has facilitated more than $5B in flashloans. Instapool facilitates features including refinancing. In the last five months, we have seen an increase of $1.7B more volume in flashloans, an over 50% increase from our previously recorded volume of $3B. There are currently more than 20.8k DeFi Smart Accounts (DSA) that have been created."

"Instadapp has facilitated more than $12B in flashloan volume; this includes its use in Multi-Protocol Refinancing, Leveraging, Collateral and Debt Swaps. A smaller portion of this volume was 30m of combined assets and liabilities migrating across chain from AAVE v2 to AAVE-Polygon."

Projects that use or built on it

Competition

Pros and Cons

Pros

Cons

Team, Funding, Partners

Team

Funding

"We have raised a seed round of $2.4M from a network of strategic investors, including Pantera Capital, Naval Ravikant, Balaji Srinivasan, Coinbase Ventures, IDEO Colab, Robot Ventures (Robert Leshner of Compound Finance), Loi Luu (Kyber Network), amongst many others."

"Instadapp announced Friday the completion of a $10 million funding round that was led by Standard Crypto and included Andre Cronje."

Partners

(:

Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content