Private Repos
This article discusses how to get a high score on DeFiSafety when you have a private repo. By private repo we mean a software repository where the contents are not open to the public. Frequently developers have private repos to protect against their protocol being forked (or copied).
A private repo is a business decision. Ethereum was built on public, open source software. The DeFiSafety score was designed around those values. However, especially in Defi in 2021, there are clear advantages in maintaining a private repo. For this reason we designed our latest process (0.6) to allow for a high score and a private repo. A score of 92% is possible with no repo visible.
This article will discuss in detail how a protocol can maximize their score.
Code and Team
A private repo does not mean private addresses. No one can trust you if they cannot see the code that is executing. The addresses must be clearly displayed, labelled and cover all executing contracts.
With the addresses we can confirm they are being actively used. No change there.
A private repo will get zero for “Is there a development history visible?” and “Is there a development history visible?”, this is unavoidable.
The question “Is the team public (not anonymous)?” is unchanged by a private repo. You can still declare the team members on your website or other docs.
Documentation
Documentation helps transparency and does not help someone forking your product. There is no reason why clear and complete software documentation (along with the white paper and other docs) cannot co-exist with a private repo.
The documentation requirement is unchanged by a private repo.
Testing
The test suite is the most important element that is hidden with a private repo. Without a working test suite it is very difficult to fork the code. However, for transparency, the public needs to know that the code is tested. Fortunately there are tactics that allow you to publicly prove you have fully tested your code without allowing a fork.
These are the questions on testing that DeFiSafety answers when doing a review;
- Full test suite (Covers all the deployed code)
- Code coverage (Covers all the deployed lines of code, or explains misses)
- Scripts and instructions to run the tests
- Packaged with the deployed code
- Report of the results
- Formal Verification test done
- Stress Testing environment
These questions do not require the test repository so they are unaffected by a private repo.
- Formal Verification test done
- Stress Testing environment
This question is difficult to answer without a public repo. Therefore, this question will always be zero.
- Scripts and instructions to run the tests
These are the questions which need answers without displaying the tests.
- Full test suite (Covers all the deployed code)
- Code coverage (Covers all the deployed lines of code, or explains misses)
- Packaged with the deployed code
- Report of the results
The solution is a strong test report. The test report should include a list of the tests run (perhaps a test run output), a text description of the test philosophy, the code coverage results and descriptions of why some code is not covered (if not 100%).
A test report gives most of the transparency required while retaining the privacy of a private repo.
Audits
The audit question and score is unaffected by a private repo.
