Credix’ layered security model

At Credix, we’re building the future of global credit markets. We build on the most advanced decentralized technologies to achieve this goal, while always taking a security-first approach, both from a technology standpoint as from a development and methodology standpoint. That’s why we’ve introduced several layers of security to the Credix platform as visualized below:

Tests — tests — tests

We take testing seriously. This reflects itself in a testing suite covering unit tests in RUST to validate our Solana program code (smart contract), unit tests in javascript to ensure that our client (= abstraction layer to interact with the smart contracts) works as expected, and visual- and automated user-flow tests for our app to see that the application behaves the right way. Lastly, we’ve also built a fully-fledged digital twin in python. This digital twin mimics the behavior of the smart contract, allowing us to generate an infinite amount of end-to-end scenarios, which are then fed to the smart contract tests.

The test suite runs automatically on every change of the smart contracts, client, and app; ensuring that old features still function as expected when introducing changes.

Security audits

Upon the release of bigger features (e.g. tranching, secondary market, etc.), we work together with specialized smart contract audit firms. We leveraged Certik’s experience for the first audit back in December 2021. The report can be found 👉 here 👈. In June 2022, we had our V2 audited by Halborn. The report can be found 👉 here 👈.

Stakeholder whitelisting

All stakeholders have to be whitelisted by Credix. On a technical note, we issue a Credix pass on-chain after all legal, compliance and commercial obligations of our stakeholders are met. This Credix pass lists the permissions for the stakeholder; a borrower is only allowed to interact with the borrower-related program instructions, just like an investor is only able to invest and withdraw (after a specific lockup time). Every instruction does a check for this Credix pass, shielding the program from any external actors or attackers.

KYC/KYB’d stakeholders only

Credix is a fully permissioned marketplace; meaning that all stakeholders have to identify themselves. Individuals (e.g. accredited investors) have to go through a KYC (know your customer) process; businesses (e.g. institutional investors) have to go through a KYB (know your business) process. This process only needs to be performed once during onboarding. Once the onboarding is completed; an on-chain proof is issued to the wallet of the individual/business. This proof is needed to interact with the Credix platform.

Non-transferable tokens

The Credix platform leverages several tokens to keep track of the investments and accrued yield. The LP token is issued when investing in the liquidity pool of a market. Tranche tokens are issued when investing in junior tranches of specific deals.

Due to regulatory ambiguity, today none of our tokens can be made transferable as a KYB’d/whitelisted investor could transfer its LP tokens to a non-KYB/C’d investor. Therefore, all of our tokens are made non-transferable. This not only makes Credix comply with regulations but also stops hackers from transferring tokens from your wallet in case of a wallet exploit. We are working on an OTC desk and secondary market to make transfers between trusted stakeholders possible.

If you want to learn more about how we tackle security at Credix, I recently did an AMA with Halborn explaining the above and more. Check it out!