Penalties for hacked protocols
Our analyses are ever improving. To reflect some of the feedback we’ve received as well as some internal discussions, we’re moving forward with our plan to apply penalties to protocols that have undergone security incidents.
At the moment, some protocols have extremely high process quality scores, and yet their user funds have been compromised (in one case three times over). This indicates an weakness in our analyses, because the scores do not agree with common sense — users may interpret a high DeFiSafety score to indicate lower relative smart contract risk and yet the smart contracts have been exploited. To fix this, we’re implementing a variety of tiered penalties on protocols that have suffered hacks.
A PQR score will not reflect this penalty, though a protocol’s final score will. Given that documentation etc. remains the same, we will only apply these penalties to a protocol’s final score and the initial PQR score will remain visible. Full details will be provided after we work through an example with you. A penalty will only remain in effect on a protocol for 6 months.
Let’s consider Compound. Compound earned an impressive 93%, though due to the COMP printing incident of the 29th of September, a penalty should be applied.
- Given the relative insignificance of this bug (compared to COMP’s significant TVL), we will not provide a significant %TVL penalty.
- However, given that this error was easily preventable, a more significant error type penalty shall be applied.
- Finally, despite a quick response, funds were not fully reimbursed (due to loss in value of token due to excess supply).
This builds a 25% penalty, as per our guidance below. As such, Compound’s 93% now becomes 68%. Nevertheless, Compound can take solace in the fact that since our penalties are only applicable for 6 months and the penalty will be lifted on the 30th of March at which point the score will return to 96%.
Please see this table for a full list of reviewed protocols that will now be subject to a penalty.
__________________
As ever, DeFiSafety prides itself on being transparent. This is our new penalty logic, and we welcome any comments you may have about them.
Multiple incidents in a short period of time can be cumulative. In other words, you could lose 20% for one hack and then another 30% for another, giving a total penalty of 50%. Scores cannot be negative. The minimum score is 0%.
Penalties may be reduced in two circumstances:
5% if there is a rapid pause control reaction (rapid being sub 2 hours)
5% if follow up quality is good (detailed technical explanation with solution)
By our definition, a major hack is one where >25% assets are lost. A minor hack is one in which less than 25% of the assets are lost.
As stated earlier, after six months the penalty is erased.
Each penalty will be prefaced with a short overview of the hack and the penalty it received.
Please find an example revised report (CREAM).
As you can see, I changed the “Overview” section only. We would add the Security Incident Explanation section. C.R.E.A.M. gets its score slashed by 15% with its three incidents as only one is less than 6 months old.
We have implemented these penalties so that our PQR scores more accurately reflect the state of the protocols that we are reviewing. As ever, please contact us if you have any comments — we’re very excited to offer these improved reviews!
