BAO Finance and Immunefi: A Case Study in DeFi Platform Security
Taking a look at BAO Finance’s experience with Immunefi as a platform, streamlining security and development.
An article written by @haruxeETH
Introduction
In the rapidly evolving world of decentralized finance (DeFi), security is paramount. With billions of dollars at stake, it’s essential for protocols to ensure that their platforms are as secure as possible. In this article, we’ll explore BAO Finance’s partnership with Immunefi which has helped establish a new standard for BAO’s security ideologies and streamline the process of identifying and addressing potential vulnerabilities.
What Is BAO Finance?
BAO Finance is a decentralized autonomous organization (DAO) and a DeFi platform built on Ethereum. It offers users the ability to borrow USD, and ETH pegged currencies against yield-bearing collateral as well as participate in liquidity mining. BAO Finance also provides access to baskets, representing an index of underlying tokens, which enable users to gain exposure to a diversified set of assets with a single token.
Additionally, the platform supports the growth of liquidity throughout DeFi via its “base pools” and gauges that allow projects to pair any token with incentivized USD or ETH liquidity. BAO Finance aims to provide users with a comprehensive suite of DeFi services while emphasizing transparency, community governance, and risk management.
BAO’s Perspective: Why Immunefi?
As a member of the BAO Finance team, I cannot overstate the importance of our partnership with Immunefi. Since being listed in 2021, we have received numerous vulnerability reports which have been instrumental in ensuring the safety and security of our platform — which paired with traditional audits gives us the best code coverage at any given time.
BAO Finance takes security very seriously and has implemented several measures to protect user funds and prevent potential exploits, with over $3.7 million in total value locked (TVL) on its platform. Thanks to the meticulous approach to building the platform and a strategic partnership with Immunefi, a leading security and bug bounty platform, Bao Finance has remained exploit-free throughout its two years of operation.
In Comparison To Alternatives
Immunefi has by far been the most efficient and effective bug bounty program that we have used thus far, not only for the quick responsiveness but also for the amount of whitehats who use the platform.
The collaboration with Immunefi has enabled Bao Finance to tap into a vast network of security researchers and experts, who have been instrumental in identifying and fixing potential vulnerabilities before they could be exploited. By placing a premium on security, Bao Finance has been able to foster trust and confidence in its user base, which has translated into steady growth and adoption within the DeFi community.
It is imperative that actively maintained protocols like BAO Finance be listed on Immunefi as there is a lot of code to cover regularly — making for a reasonable statistical room for error, whether that be an integration mistake during deployment or an overlooked logical portion in one of our smart contracts. We regularly deploy new strategies and liquidity positions that house user funds, and ensuring their safety is of utmost importance.
We currently offer up to $100k for critical vulnerabilities (which, to a DAO, may seem like an enormous amount) but is actually a mutually beneficial bounty reward because of how much of our user funds would be put at risk.
There is essentially no risk for participating whitehats, as they are protected under Immunefi’s strict disclosure policies and are rewarded for their efforts. This creates a win-win situation for both BAO Finance and the Whitehat community.
Securing the Whitehat Community
Making the whitehat community happy keeps us happy (and safe). It is not mandatory to pay out reports that are out of scope — but we ensure that all reports are evaluated thoroughly, quickly, and fairly; these factors are crucial to maintaining a secure platform.
BAO Finance has taken this responsibility seriously and has made it a point to address even edge cases, which can be challenging to identify and resolve.
This close relationship, together with a growing community of whitehats, ensures that BAO can continue to innovate and offer its users a secure and reliable DeFi platform for years to come.
Uninitialized Proxies: A Close Call with Contract Destruction
In late 2021, BAO Finance deployed the first set of core contracts to bootstrap the launch of our protocol but inadvertently made a significant, unnoticed error. Whitehat ckksec reported a vulnerability that identified an uninitialized diamond contract that could be entirely destroyed.
The report submitted by ckksec detailed how an attacker could initialize and subsequently destroy the Diamond implementation contract through a malicious delegate call to a contract containing specific instructions and owned by the attacker. This was possible because the uninitialized contract allowed the attacker to call initialize() on the Diamond implementation and then define functions that would be forwarded via delegatecall() from the implementation.
Ckksec provided a proof of concept (PoC) exploit contract to demonstrate the vulnerability. The impact of this vulnerability was the deletion (destruction) of the implementation contract, necessitating the redeployment of the implementation and an update of contracts that used the former implementation. This issue is similar to a vulnerability discovered in OpenZeppelin, but less dangerous as it could be fixed by updating the implementation in the proxy.
Because we were listed on Immunefi, we were able to address the vulnerability swiftly — keeping our protocol safe.
Conclusion
I cannot stress the importance of security in DeFi platforms enough, and our partnership with Immunefi has been instrumental in maintaining the safety and trust of our users.
While our partnership with Immunefi has been crucial in maintaining a secure platform, it’s important to remember that being exploit-free for two years does not make us, or anyone, immune to potential exploits. It is essential to implement comprehensive testing, audits, and contingency plans to prepare for potential exploits of critical vulnerabilities.
We encourage other DeFi projects to follow in our footsteps and join forces with Immunefi, leveraging their extensive network of security experts to ensure the safety of user funds. With millions of dollars being stolen from DeFi projects each year, taking proactive measures to prevent potential exploits should be a no-brainer. By working together with platforms like Immunefi, we can create a safer and more secure DeFi ecosystem for all users.
