DeFi Safety
Published in

DeFi Safety

Red koin gud

Avalanche has done a good job in burying us with proof of good process quality. While some areas are in need of improvement, they’re only bested by Ethereum in terms of secure development practice. Let’s hit the slopes and figure out why 🎿🎿🎿 →

Avalanche has never gone down. This is impressive given the record of other smart contract L1s. The network has experienced massive load and it has met the demand — this is critical for any chain.

Avalanche is also impressively distributed. With over 3000 nodes validating and some 3500 nodes archiving, Avalanche is the second most decentralised that we’ve come across (in terms of node count).

Nonetheless, users should be mindful that over 50% of the validators run on AWS and geographically over 75% are situated in either the United States or Germany. This hampers their decentralisation efforts and presents risk. https://avascan.info/stats/staking

Should the US and Germany suffer a cyber attack, the network will be subject to massive stress. Further incentivising validators on other continents boost network security — @Solana does this. Nonetheless, the raw figure of validators is leading and impressive.

This is thanks to extremely detailed instructions detailing how to operate their node and low hardware requirements. We’re also pleased by their system specification documentation for the nodes software. https://github.com/ava-labs/avalanchego

Avalanche has somehow managed to keep fees low and the network fast while having more validating nodes than almost any other L1. It is impressive that they’ve walked the tightrope so many other chains fail to do.

One area in relation to their nodes that needs immediate attention is the plurality of node implementations. This chain is held together by one node software: AvalancheGo. If a bug is exploited, the entire network could grind to a halt and billions in TVL will be at risk.

This Achilles heel is inflamed by Avalanche’s irrelevant bug bounty offering. At just $10,000, the best brains in crypto are not being attracted to the network. Fortunately, Ava Labs are increasing this bug bounty and will release an update at the end of this week!

Why would any grey hatter wear his white hat when the black one looks especially lucrative today and there is such a clear single point of failure? We’re glad Avalanche is perceptive to this threat and @_patrickogrady is working to mitigate it!

Nonetheless, the node implementation itself seems well considered. At an average of 153 days of discussion before each update is pushed (and perfect relevant software function docs), GoAvalanche’s development is clearly methodical.

This is heartening and minimises technical risk through many eyes. Avalanche’s test suite is clearly well fleshed out with good documented testing. Users can see example test reports to compare their own results against — decreasing technical risk via verification.

When it comes to good code development practices, node decentralisation and various pieces of supporting software, Avalanche shines. However, when considering other industry standard security practises, Avalanche is more hesitant.

We’re aware that Avalanche has audited its node software thanks to our discussion with the lovely @luigidemeo. This remains private. Without a publicly available report to cite, we cannot award points for this.

@0xPolygon is in a similar situation, and only shares their report with those who understand that it does not constitute any guarantee or investment advice — is Avalanche the same? We’d like clarification here. https://twitter.com/Mudit__Gupta/status/1537067893455835138

Regardless of their reasons, Avalanche should strongly consider making this public to assist security researchers in reviewing the node software. Other L1s frequently audit their node software — @el33th4xor wen (public) audit for AvaGo?

If not, perhaps it’s time to refresh it? AvalancheGo has evidently evolved significantly beyond what it was so a new audit could be beneficial. This would both reassure users and comfortably make Avalanche the industry leader in minimising technical risk.

This lack of audited node software is compounded by the previously mentioned laughable bug bounty — though a fix is incoming. This severely hampers their score and lets down the rest of their considerable efforts to ensure good development process.

Luckily, both of these are really simple to fix! Ava Labs knows how useful a bounty is (ETA for a new one is this week!) and we will update their score upon release. For proof of value of bug bounties: https://medium.com/immunefi/armorfi-bug-bounty-postmortem-cf46eb650b38

Looking to the future, we’re excited by the considerable efforts they’ve made for their Subnets. Nonetheless, we’d like them to stay mindful of the importance of continuing to ensure that they’re sufficiently decentralised.

Any subnet that hosts assets must be decentralised to the fullest extent that it can be. We’re generally pleased by the work Avalanche has done in mitigating technical risk and hope that this good work continues.

Overall, Avalanche should be congratulated for reducing technical risk and earns their spot at second place on our safety leaderboard. We’re excited to see what they’ve got planned — so long as they stick to ensuring minimal technical risk!

This is a (long) snippet of a full technical risk report on Avalanche. For the full report, 14 other chains, scores on some 30,000 contracts as well as the protocol scores you know and love, please visit DeFiSafety.com/app and buy a subscription. It’s 50% off!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store