Private Repos

Rex Hygate
Mar 31 · 3 min read

This article discusses how to get a high score on DeFiSafety when you have a private repo. By private repo we mean a software repository where the contents are not open to the public. Frequently developers have private repos to protect against their protocol being forked (or copied).

A private repo is a business decision. Ethereum was built on public, open source software. The DeFiSafety score was designed around those values. However, especially in Defi in 2021, there are clear advantages in maintaining a private repo. For this reason we designed our latest process (0.6) to allow for a high score and a private repo. A score of 92% is possible with no repo visible.

This article will discuss in detail how a protocol can maximize their score.

Code and Team

A private repo does not mean private addresses. No one can trust you if they cannot see the code that is executing. The addresses must be clearly displayed, labelled and cover all executing contracts.

With the addresses we can confirm they are being actively used. No change there.

A private repo will get zero for “Is there a development history visible?” and “Is there a development history visible?”, this is unavoidable.

The question “Is the team public (not anonymous)?” is unchanged by a private repo. You can still declare the team members on your website or other docs.

Documentation

Documentation helps transparency and does not help someone forking your product. There is no reason why clear and complete software documentation (along with the white paper and other docs) cannot co-exist with a private repo.

The documentation requirement is unchanged by a private repo.

Testing

The test suite is the most important element that is hidden with a private repo. Without a working test suite it is very difficult to fork the code. However, for transparency, the public needs to know that the code is tested. Fortunately there are tactics that allow you to publicly prove you have fully tested your code without allowing a fork.

These are the questions on testing that DeFiSafety answers when doing a review;

  • Full test suite (Covers all the deployed code)
  • Code coverage (Covers all the deployed lines of code, or explains misses)
  • Scripts and instructions to run the tests
  • Packaged with the deployed code
  • Report of the results
  • Formal Verification test done
  • Stress Testing environment

These questions do not require the test repository so they are unaffected by a private repo.

  • Formal Verification test done
  • Stress Testing environment

This question is difficult to answer without a public repo. Therefore, this question will always be zero.

  • Scripts and instructions to run the tests

These are the questions which need answers without displaying the tests.

  • Full test suite (Covers all the deployed code)
  • Code coverage (Covers all the deployed lines of code, or explains misses)
  • Packaged with the deployed code
  • Report of the results

The solution is a strong test report. The test report should include a list of the tests run (perhaps a test run output), a text description of the test philosophy, the code coverage results and descriptions of why some code is not covered (if not 100%).

A test report gives most of the transparency required while retaining the privacy of a private repo.

Audits

The audit question and score is unaffected by a private repo.

DeFi Safety

Smart Contract Quality and Transparency for DeFi Protocols

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store