DeFi Saver

From CryptoWiki

Basics

  • Based in:
  • Started in / Announced on:
  • Mainnet release:

History

Audits & Exploits

"This protocol offers an active bug bounty of $250K. DeFi Saver has a TVL of $422M, which places their bug bounty at 0.000592% of their TVL."

"There is implicit traceability between software documentation and implemented code. No coverage report found, but there is a relatively complete set of tests. This protocol has not undergone formal verification. Consensys audited DeFi Saver's Recipes from March 22nd 2021 to April 2nd 2021. In this audit, all non-minor issues were fixed. Dedaub audited DeFiSaver Recipes on March 30th 2021 at commit cb29669a. All issues were resolved or dismissed. Dedaub also audited DeFiSaver's V3 Strategies in December 2021. All issues were low severity or advisory issues. All issues were either closed or dismissed. This protocol is clearly well audited, however we are docking 10% due to their pre-audit deployment."

With the comment:

"Your friendly neighborhood protocol scores above 85% in all sections except for testing, leaving some room for improvement for the DeFi management protocol.

Unfortunately, the saver we needed but didn't deserve reportedly had half of its testing score evaporate following the Thanos snap. Adding testnet deployments, test reports, coverage reports, and a formal verification test will repopulate this score.

There were also two times when uncle Ben suffered a security incident, as documented in our hack history section. However, due to quick response times, the team was able to DeFi Save users' funds.

Meanwhile, the protocol hits all targets in the area of Admin Controls. It clearly documents the upgradeable and immutable aspects of the software, while simultaneously fully detailing the ownership and timelock parameters. Tony Stark holds no control over this one."

  • Previously scored 71% (3-6-2021): "Defi Saver has had an audit done by Debaub in Feb. 2021, an additional Debaub audit in Mar. 2021, and a Consensys audit in Mar. 2021. All of the audits had multiple significant issues. Many were fixed but given the concern we drop the 100% to 70%." With the comment: "These guys worked hard with us to improve their score.  That kind of effort means security.  Solid guys."

Bugs/Exploits

"Date: 05 Jan 2021

Details: Debaub, DeFi Saver's auditor of choice, found a vulnerability where users who imported Compound positions were at risk. Upon the discovery, DeFi Saver rapidly performed a white hack to secure user funds. The discovery and securing process is outlined here: https://blog.defisaver.com/disclosing-a-recently-discovered-vulnerability/. Thanks to the detection and response, this vulnerability was never exploited (other than DeFi Saver's white hack of course). This event is not a hack, but a security incident.

Date: 08 Oct 2020

Details: DeFi Saver had a known vulnerability which was mitigated but later exploited by a frontrunner. Funds were later returned by the exploiter."

"Vulnerability found by Dedaub’s automated static analysis, white hat exploited for ~3.5m."

Governance

Admin Keys

"Immutability/upgradability is described here. The main takeaway for users should be that the DFS Registry and Exchange Wrapper Allowlist contracts and owned and upgradeable through a multisig owner. This means that although recipe contracts may be mostly immutable, their respective addresses could be changed in the DFS Registry which essentially renders the recipe contract upgradable. For all intents and purposes, the protocol is clearly labelled as upgradable. All relevant contracts can essentially be paused. The Owner multisig can kill contracts Since all the relevant contracts do not hold funds, a contract can be killed without causing a loss of funds. The effect of killing a contract (or reverting in DFSRegistry) is then essentially the same as pausing. There is no evidence of testing this explicitly documented. DeFi Saver documents a 7 day timelock for core contracts while other contracts used in strategies have a timelock of 1 day."

  • From DeFi Safety (3-6-2021):

"Access controls are clearly labelled in their Documentation. a) upgradability is indicated clearly for automation smart contracts, and vaguely for protocol smart contracts: 20%. b) Type of ownership is clearly indicated for Automation smart contracts, but not protocol action contracts: 15% c) Capabilities for change in the contracts is not described: 0%. Pause control not documented or explained."

DAO

Treasury

Token

Launch

Token allocation

Utility

Token Details

Stablecoin

Technology

"With 679 commits and 19 branches, this is a healthy, active repository."

How it works

Fees

Upgrades

Staking

Liquidity Mining

Different Implementations

Interoperability

Other Details

Oracle Method

"DeFi Saver does not use oracles of their own. Although technically users may interact with oracles when exchanging, the oracles are delegated to Uniswap or Kyber Network. All potential for flashloan attacks are mitigated through the composing protocols' oracles."

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

Projects that use or built on it

Competition

Pros and Cons

Pros

Cons

Team, Funding, Partners

Team

  • Full team can be found [here].

Funding

Partners

(:

Knowledge empowers us all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated:) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31