Results From the Latest Sovryn Software Audits

Brought to you by Sovryn

December 7, 2022

Today we are publishing the results of the latest Sovryn software audits, a 2022 FastBTC audit by Least Authority and a 2021 system-wide smart contract audit by CertiK. Read on for a summary of the results and links to the full audit reports.

2022 FastBTC audit

Earlier this year we went live with a limited release of bidirectional FastBTC, an update to our FastBTC federated swap protocol that enables converting BTC to/from RBTC. Before raising transaction limits on the protocol, we wanted to complete a full audit of the FastBTC smart contracts and node software. For this audit we hired Least Authority, a security company with extensive experience auditing cryptocurrency and smart contract software.

Least Authority started their audit in June and completed their audit in July. We are proud to share that no security issues were found.

Least Authority did provide three “Suggestion” comments for improving the codebase. Due to their low impact, we have decided to not prioritize implementing these suggestions at this time, though we may revisit in the future.

You can read the full 2022 FastBTC audit report here.

2021 system-wide smart contract audit

In 2021 we engaged the security company CertiK for a system-wide audit of the Sovryn protocol and associated smart contracts. This audit covered all of the Sovryn contracts deployed on mainnet at the time, from the AMM, lending, margin, and bridge contracts to Bitocracy, vesting, and SOV contracts. The initial audit results reported no Critical issues, 26 Major issues, 6 Medium issues, 19 Minor issues, 55 Informational issues, and 2 Discussion comments.

In the time since receiving the initial audit results in October 2021, we have been working to resolve the issues found. Of the 26 Major issues reported, 25 were “Centralization Risk” issues related to ownership of the contracts. In these cases, 3 of the contracts are no longer being used, 4 issues could not be fixed because the contract code is immutable (and we consider the owner to be safe, so no need to replace), and 18 issues will be fixed when SIP-0046 is implemented and the contract ownership is transferred to Bitocracy. The last remaining Major issue (LTS-01) is technically a duplicate of one of the Centralization Risk issues, and we have therefore ignored it. Of the minor, medium, informational, and discussion-level issues reported, we either fixed them, or did not need to fix them, or we deemed the impact low enough to not prioritize fixing them at this time, though we may revisit in the future.

You can read the full 2021 system-wide smart contract audit report here and read our detailed follow-up here.

Note: In the time since CertiK completed the audit referenced above, several critical vulnerabilities were discovered in the staking contract that CertiK audited. Two of these vulnerabilities were described here and here, and one remains under investigation at the time of publishing this blog post.

Strengthening Sovryn security

Many thanks to Least Authority and CertiK for their diligent work on these audits. We appreciate the role that these independent security teams play in keeping user funds safe and building confidence in the reliability of smart contract-based financial protocols such as Sovryn.

In addition to deep audits like the ones shared in this blog post, we have received smaller audits on individual parts of the Sovryn smart contract system and external reviews on individual changes submitted to our smart contract repositories. We also enforce two internal code reviews on every smart contract change.

Ever since the approval of SIP-0008, the protocol treasury is used to fund a bug bounty program with a current maximum payout of $1,000,000. We invite security researchers interested in Sovryn contracts to check out the main Sovryn bounty program. And of course anyone with the skills and interest can review the public source code of all of our deployed smart contracts, and confirm the source code being used onchain by referring to the smart contract addresses in the Verified tab of our mainnet smart contracts spreadsheet.

You May Also Like

Leave A Reply