Shade Protocol — Bonds Audit Complete
Greetings community,
Shade Protocol development has continued to progress rapidly with core contracts set to be launched on Secret Network mainnet in fall of 2022. Prior to the launch of the mainnet contracts, Shade Protocol will be releasing Shade Bonds — a privacy-preserving DeFi instrument where users can purchase digital assets from the ShadeDAO by depositing protocol desired cryptocurrencies into a smart contract.
Bonds are a powerful mechanism by which the ShadeDAO will be able to grow its set of protocol owned assets which can then be utilized to generate liquidity for Shade Apps as well as yield for the protocol. Because bonds are capable of directly interacting with the minting contracts for SILK and SHD as well as the accrued ShadeDAO treasury assets, the security of the bonds smart contracts are of the upmost importance.
Because of our insistence on putting security first, the core protocol contributors are proud to have partnered with Certik to have the bonds smart contracts audited for vulnerabilities.
Audit
Linked below is the full pdf of the Certik’s Bond audit findings:
Findings
The Certik security assessment was completed August 1st, 2022. The vulnerability found 1 major, 1 medium, and 2 minor vulnerabilities.
The major vulnerability was tied to the centralization of bond issuance — because bond issuance is such a powerful mechanism, the auditors were concerned around the centralization of permissioning tied to issuance:
These centralization concerns will be resolved with the launch of Shade Protocol Governance on mainnet in the fall. The admin role that Certik observed as having direct power over bonds will be directly controlled by Shade Protocol token governance.
The medium vulnerability was tied to an assumption on oracle price decimals — if the oracle returns an unexpected amount of decimals, there is a chance for dangerous behavior to occur with the interaction between the bonds contract and the depositor.
Shade Protocol resolves this concern as the handling of inconsistent decimal amount are handled via the Shade Oracle (not the bonds contract) — the oracle will execute the logic to convert data feeds to 18 decimals so that any contract that interacts with the oracle can expect a consistent 18 decimal wrapping, thus resolving this specific concern.
A minor vulnerability was tied to a lack of input validation which could result in unexpected behavior at runtime.
The team resolved this concern via the inclusion of the following:
The last minor vulnerability was tied to logic dependencies leveraged by oracle, shade admin, issued_asset, and airdrop. Certik advised careful examination of the security of these functional dependencies. This risk was acknowledged by the team.
Conclusion
With the completion of the Shade Bonds audit, Shade Protocol aims to release the next 10% of the SHD airdrop — launching side by the side with bonds. Front-end UI/UX are the final piece to be completed in order for bonds and part two of the airdrop to be released.
Shade Protocol puts the security of users above all else, which is why we will continue to internally and externally audit all key contracts that are part of the Shade Protocol suite.
Speed is great, but accuracy is final.
We look forward to safely launching bonds — the first of many core privacy-preserving products to be launched by Shade Protocol.
Join The Shade Protocol Community
Documentation | Website | Twitter | Telegram | Medium | Discord
