Element Protocol Security Roadmap Update
In our previous blog post, we shared news that our security audits are complete and have been reviewed by integrators as well as our road to Ethereum Mainnet.
Today, we are excited to share the official audit reports, officially open source the Element Protocol codebase, and introduce our bug bounty program to the world!
Security Audits
Our audit reports provide a highly detailed analysis on the areas of coverage and concern, and we are happy to share them with our community to help anyone better understand how the Element Protocol works.
The following traditional security audits have been performed on the Element Protocol’s core contracts.
Runtime Verification Final Audit Report
Runtime Verification Inc. is a company aimed at using runtime verification-based techniques to perform security audits on virtual machines and smart contracts on public blockchains. They are dedicated to using its dynamic software analysis approach to improve the safety, reliability, and correctness of software systems in the blockchain field. Therefore, we contracted them to do a formal audit on the Element Protocol.
Summary of Findings
Runtime Verification’s Audit discovered a total of nine reported bugs with impact. This includes 3 Critical, 0 High, 2 Medium, 4 Low vulnerabilities, as well as informational findings and suggestions. All identified issues were either patched or resolved.
Read the Runtime Verification final audit report here.
PeckShield Final Audit Report
PeckShield is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystems by offering top-notch, industry-leading services and products (including the service of smart contract auditing).
Summary of Findings
PeckShield’s Audit discovered 1 medium-severity vulnerability, 2 low-severity vulnerabilities, and 2 informational recommendations. PeckShield’s audit started at a later date than RV’s audit so reviewed the code which had been bug fixed as part of the RV audit. All identified issues were either patched or resolved.
Read the PeckShield final audit report here.
Element v1 Codebase is now Open Source!
We’re excited to announce that the Element Protocol v1 smart contracts are now public and open source! The Protocol’s core contracts can be found in the elf-contracts Github repository here.
As described in our Construction Paper, Element’s architecture is based on native assets (initially BTC, ETH, USDC, and DAI) getting routed into the linked into vaults/strategies. Element issues the user two tokens, one representing the base principal, one representing the variable interest gained over the term period. With Element, there’s a wide degree of composability and different forms of integration are possible. This gives Element the flexibility to support many different products to be built on top of the Protocol.
Element Protocol V1 Smart Contracts Overview
Here are some of the most important Element Protocol contracts:
- ConvergentCurvePool.sol
- InterestToken.sol
- Tranche.sol
- UserProxy.sol
- WrappedPosition.sol
- YVaultAssetProxy.sol
- factories/ConvergentPoolFactory.sol
- factories/InterestTokenFactory.sol
- factories/TrancheFactory.sol
Announcing the Launch of the Element Bug Bounty Program
Starting today, April 30, the Element Finance v1 is subject to the Element Bug Bounty Program to incentivize responsible bug disclosure.
The scope of the program is limited to the element-fi `elf-contracts` repository and submissions should only be based on commit hash: `5517dbe0982b85bc7a7207b5119d9a728bf1f830`. The program rewards range from critical to low severity bugs. The bounty program will pay out rewards according to the severity of the vulnerability. See the Eligibility section on the Bug Bounty Program for more details.
The security of the Element Protocol is our highest priority and so the bug bounty program will run indefinitely. For more details on the Element Finance Bug Bounty Program, refer to the Bug Bounty page on our website here.
Additionally, the Element Finance Bug Bounty program has been extended to the Immunefi platform.
Summary
Our security efforts have resulted in the discovery of a number of bugs, including some critical- and medium-severity issues. The team has taken the appropriate actions to evaluate and mitigate these issues, and we look forward to continuing to work with our auditors as we get closer to the official launch of the Element Protocol.
Next Steps — Element Finance Testnet is Coming!
Our testnet launch will be going live on May 7th! As we approach the launch of the Element Protocol, our team continues to work hard to achieve the roadmap described earlier this week in `Element Finance: Road to Ethereum Mainnet`.
We are excited and look forward to working with our awesome community to bring the Element Protocol to life with the top-quality security that our users deserve.
To get involved, join us on Discord and keep an eye out for the #element-testnet channel!
