🛡 Securing Babylon
Babylon is a community-led asset management protocol that enables users to create investment clubs (we call them gardens) and invest in DeFi together. It’s built on the Ethereum network and it’s non-custodial, transparent, permission-less, and governed by the community. BABL is the governance token behind it.
TLDR: We released seven security audits along with our security methodology and the process to report vulnerabilities.
🥇 Security First
Security has been one of the top priorities for Babylon Finance since the beginning. First of all, the system was architected to be secure-by-design. Security is an ongoing process, you are never “done”. It is not a feature nor an add-on and it’s definitely not something that you can patch later in the future.
Due to recent security hacks in DeFi, teams are now aware of how critical it is to have cybersecurity skills within the core team. In Babylon, this wasn’t an afterthought. The founding team members and advisors have many years of experience in security at companies like OpenZeppelin, Telefonica, or Incibe.
A DeFi protocol needs to have external security audits to verify the architecture and security of the system. Although expensive and in high demand — due to the security skilled people shortage — Babylon has already performed several security audits with leading security firms.
đź’» Babylon Security Repository
Today we are pleased to announce the publication of our Babylon Finance Security Repository on Github.
đź”— https://github.com/babylon-finance/security
Our goal is to give more visibility, transparency, and trust to our users and our partners ahead of our public launch scheduled for March 15th.
It is an important milestone for Babylon as it proves to our users our dedication to securing the protocol before our public launch. Transparency and trust are a must-have in DeFi as we users and partners should check and verify the security process of a given protocol before using it.
Due to our security-by-design process, we are continuously working to minimize the attack surface area at the infrastructure and SDLC (Software Development Life Cycle) levels. Due to our approach, you’ll see infrastructure’s audits together with smart contract’s audits.
đź—’ 7 Security audits
In Babylon Finance we have already performed 7 security audits. For more information please check the audit section audits/.
We believe that having frequent audits is important, as protocols need to change and evolve to find product-market fit. Auditors usually audit a specific (commit) version of the codebase, so the code they are auditing can quickly become outdated.
In Babylon, we have been doing audits since development started.
Babylon also hired different external companies to increase coverage, get different opinions, and have multiple sets of eyes checking every line of code. At the same time, it is crucial to create a long-term partnership with an audit firm so they develop a deep understanding of the protocol. Our suggestion is to have a mix of both.
Last but not least, internal security audits are usually not reported. We believe that this is an oversight. In our opinion, they are critical, especially given the fast pace of change. External audits by definition have limited scope. It can be because of budget, time, or resources. It is not common to see protocol internal security audits or even infrastructure security audits.
Infrastructure audits have been demonstrated to be very important given recent attacks like BadgerDAO’s of $120M. In this attack, the cloud provider was used to inject a malicious script in the dapp. That’s why we included them and we plan to continue doing so in the future.
⚔️ How to report vulnerabilities
Although 100% security does not exist, we believe that optimal security can only be achieved by working with the best security researchers. In Babylon Finance we are committed to working with researchers who submit security vulnerability notifications to us. We commit to resolving those issues on an appropriate timeline, and to perform a coordinated release, giving credit to the reporter if desired.
If you are one of them, please submit findings by using the following instructions and PGP key:
We follow the same de facto responsible disclosure standard that today is being used by other protocols like Yearn Finance and many others. Follow the initial contact and giving details’s guidelines.
In the coming weeks/months, we are also planning to launch a bug bounty program through Immunefi.
🤝 A stronger DeFi Security Community
In Babylon Finance, we believe that one of the best ways to improve DeFi security is to share relevant security intelligence with teams, protocols, and users.
First of all, we have decided to start a “DeFi Security Intelligence blog series”. With these posts, we want to give back to the DeFi community with actionable cybersecurity intelligence, best practices, and recommendations.
We want to bootstrap a bigger and stronger DeFi Security Community #strongertogether. An ISAC equivalent for DeFi. A place where teams can get actionable security intelligence for prevention, detection, and response to cybersecurity threats.
If you are interested, please reach out 👋, and let’s chat about it on our own Discord
🛡🛡🛡🛡
If you haven’t had a chance to use Babylon yet, please head to the website and take a look. We are still in private Beta but the public launch is imminent.
You can join our discord community here.
