Defi Audit Reports


In the interests of making the Defi space more transparent for investors, we've put together a list of audit reports from different Defi firms.
We've also included a list of the main points from each report, or any impartial comments regarding firms who may have not had an audit report.


Disclaimer: We strongly recommend that investors read through the reports and research each firm independently. Our main points are quotes from each report. A new audit report may have been carried out since we last updated the table, therefore the points may not reflect the present state of security.


Defi Firm Audit Report Main points from report / comments View report(s) Smart Contract
1inch
Click to expand

Peppersec

Several medium and minor issues discovered.

All issues were fixed successfully.

Aave

OpenZeppelin

The audit was based on the pre-production protocol, therefore its not reflective of the deployed version.

There were a number of issues raised at pre-production level.

Akropolis

CertiK

A manual review revealed no vulnerabilities with the codebase.

High security standards.

The team demonstrated consistency and reliability regarding code ethics and practices.

Almost One

We weren't able to find any audit reports.

Atomic loans

Consensys Diligence

The audit team evaluated that the system is secure, resilient, and working according to its specifications.

Augur

Keythereum

Changes to improve several functions were made, which were noted in the report.

Balancer Finance

Trail of Bits

The issues found during engagement were fixed or reasonably mitigated without increasing the code's complexity.

The code follows a high quality software development standard and best practices.

It has suitable architecture and is properly documented.

Functions are small, with a clear purpose.

Due to time constraints, only manual verification of essential properties related to token swapping was performed.

Bancor

Arachnid

Well written code and readable.

"Participants should note that the contracts as authored for the crowdsale are not trustless, and depend on the good behaviour of Bancor. Bancor have stated that this is intentional, intended to allow them to respond to and remedy any issues that come up during the crowdsale and in early operation, and that manual oversight will be exchanged for more automated operation once they are confident the system is working as intended."

The report recommends that all 'owner' addresses during this initial phase should be governed by a multisig, preferably with significant oversight and participation by nonaffiliated individuals.

$Based

No audit report available.

BlockFi

No independent audit report, however on their site they say that they're developing an in-house security team.

bZx

CertiK

The report gave an overall finding of 'Very High Confidence'.

The zKx team applied the auditor's recommendations.

The report concludes that there were no further recommendations required.

Coinlist

No independent audit report available, however on 13th August 2020 it was reported that they are doing a full technical audit.

Compound

Trail of Bits 2020

3 'Informational' severities found.

Informational severities do not post an immediate risk, but are relevant to security best practices.

Cream.Finance

We weren't able to find any audit reports.

Curve Finance

Trail of Bits 2020

The report focused on arithmetic operations and common contract flaws.

7 issues reported and 1 recommendation. None of these issues were critical.

DeFiner

They have an internal security process: Click here to view their process.

dydx

OpenZeppelin Security

"Two high severity issues were found. Some changes were proposed to follow best practices and reduce the potential attack surface."

Well written code with extensive tests.

Force.Protocol

SlowMist Technology

The report highlighted some vulnerabilities, some of which had been fixed.

A full breakdown of the vulnerabilities can be found in the Conclusion.

Instadapp

Samczsun

"In total, 1 undetermined, 0 high, 3 medium, 4 low, and 2 informational findings were documented. Additionally, 9 recommendations were made."

"InstaDApp resolved all undetermined, medium, and low severity findings and applied some of the recommendations. The remaining findings and recommendations were discussed at length during which compelling and satisfactory reasoning for why they were unaddressed were given."

Jackpool Finance

There are audit reports however they aren't written in English.

Jupiter

We weren't able to find any audit reports or a website at the time.

JustSwap

Slow Mist

"There are 2 security issues found during the audit. After communication and feedback, with the Anyswap team, confirms that the risks found in the audit process are within the tolerable range."

Kava

Trail of Bits

Short term and long term recommendations were made by the auditor.


Kyber Network

Chain Security

"CHAINSECURITY is overall convinced of the soundness of KYBER.NETWORK’s project with regards to its design and its smart contract implementations. The smart contract test suite is exhaustive, and the smart contract code is of high quality. During the audit, CHAINSECURITY uncovered several issues worthy of KYBER.NETWORK’s attention, which have mostly been addressed. Overall, no significant security concern remains."

Maker

B-Harvest

Clean implementation and good practices.

Well written test code, therefore the code and behaviour reliability is high.

Some suggestions were made for low severity errors.


Mooniswap

Scott Bigelow

The overall code quality of the project is good and it is accompanied by unit tests.

2 issues which have been addressed.

Moonswap

Moonswap reported that they were looking for an auditor.

The link on their site doesn't take you to an audit report.

Mstable

Consensys Diligence

Code quality is high and code is well documented.

Test coverage is outstanding.

Code adheres to best practices. There is some partially implemented code but does not necessitate any urgent updates.

Other issues have been addressed.

NUO Network

They have an audit report, however the report is not public.

Oasis

The Oasis team audit their contracts internally.

Opyn Protection

OpenZeppelin Security

"One critical and two high severity issues were found. Some changes were proposed to follow best practices and reduce potential attack surface."

"The Opyn team has fixed the critical issue and implemented partial fixes and monitoring solutions for all high issues in their follow up commit."

Phase.

The site says that they intend to have routine auditing however this isn't mentioned in their road map up to December 2020.

Riggn

No audit report for the smart contract as far as we could see. The contract creator has not yet verified and published the smart contract on Etherscan.io

Spaghetti Pasta

We weren't able to find any audit reports.

Sushi Swap

We weren't able to find any audit reports.

Swerve

It's worth noting that Swerve is a fork of Curve Finance.

StormSwap

We weren't able to find an audit report.

Synthetix Exchange

Iosiro

Several informational issues and one low risk issue.

Overall, the implementation was of a high standard.

Unidapp

Unidapp relies on Uniswap's audit by Consensys for the security of their code.

Uniswap DEX

dapp.org

1 medium severity issue and 1 low severity issue.

"Most of these improvements were adopted by the Uniswap development team."

YAM Finance

The site urges caution to users.

YIncome

We weren't able to find an audit report.

Ybross.Finance

The site recommends that users do their own research and decide for themselves.

YFF Protocol

No audit report available.

Y FOX Finance

No audit report available.

YFIX.Finance

No audit report available. At the time of writing, the contract creator hadn't verified or published the contract source code on Etherscan. Please check etherscan.io for an update.

YF Tron / YFX

No audit report available.

Yoju Finance

We couldn't find a website for Yoju Finance.

YouEarn.Finance
No audit report available.