2nd Audit Complete
Audit on V1.1 done, next will be on V2
After the recent Rari Fuse Pool oracle attack, we did an inventory of the current risks of Float Protocol. As part of that we are releasing a recent audit completed by CertiK. The full report can be read here:
This audit was part of a routine check up of the Protocol as an extra safety measure as auditing extra additions to the Protocol including the treasury diversification contract and the audited based multiplier pools staking contracts.
To clarify, key areas included in the audit scope as per FIP 012
- contracts/auction/*
- contracts/funds/*
- contracts/policy/*
- contracts/lib/*
- contracts/oracle/*
- contracts/tokens/*
- contracts/staking/multiplier/*
There were no Critical Findings by Certik. In regards to certain privileges over contracts, we look to move to a more decentralised system over time as Float matures but for now still follow recommended practises. With all contracts we follow industry best practice of a multi-signature account rather than an EOA; in addition for any “high-privilege” action such as upgrading a contract, or granting roles we also utilise a 48 hour timelock contract. In addition the multi-signature signers are not empowered to make any of these operations without the community commitment — the intention is to migrate to a SnapSafe style system where these multi-signature signers move to purely guardian(veto) roles and all decisions require a successful snapshot vote. This is planned to be applied via the multi-signature contract rather than an internal contract upgrade.
This is now the second audit of the Protocol with the first occurring in April 2021 which was completed by Extropy.io.
We plan to do an additional audit on V2 of the Protocol once completely developed.
