xSigma Completes First Security Audit Ahead of Mainnet Launch
Since our last update, the xSigma community has grown rapidly, as anticipation mounts ahead of our mainnet launch. The number of requests from private investors, institutions, and LPs, all of whom are interested in getting in on the ground floor, has taken us by surprise. Our team has been doing their utmost to honor these requests, while ensuring that all participants are able to claim their piece of the pie — not least the public, whose participation will be instrumental in ensuring xSigma’s success.
In other news, we’re pleased to report that Hacken has completed its audit of xSigma’s smart contracts. Auditing is the process by which external analysts scrutinize a project’s code to determine any potential vulnerabilities that could be exploited by hackers or result in loss of funds due to protocol failure.
Many projects do not complete this step until after they have launched and have millions of dollars of user funds passing through their smart contract. This results in serious systemic risk, which is why we were determined to have our code professionally audited prior to launch.
Hacken is a leading European security firm specializing in blockchain. Its client list includes some of the industry’s biggest blockchain companies such as VeChain, 1inch, gate.io, FTX, and Bithumb.
As a highly regarded blockchain security consultancy, Hacken’s word carries weight. Thus we were eagerly waiting, along with our community, to confirm that the xSigma contracts had received a clean bill of health.
Hacken concluded its report by assigning xSigma a “well-secured” score, having uncovered zero critical or severe issues. You can view the report in full here.
Of the minor issues that were identified in Hacken’s audit report, we’re happy to share further details and highlight our response:
1. SigMasterChef is a contract that is responsible for adding new pools. The problem pinpointed here is that the code doesn’t check whether the pool has already been added to the platform.
We made the deliberate decision not to add the checking function, since it may cause increased gas usage once many pools have been added. Moreover, adding new pools is only possible by DAO voting. SushiSwap, which currently holds over $1 billion worth of assets in the same smart contract and has been audited by Peckshield, uses the same approach. Their auditors noted that attempting to add the same pool may trigger an undefined behavior. However, execution requires DAO voting, which will not happen unless the community votes for this.
2. The “cashback” smart contracts specified in the Hacken report are xSigma Corporation third party contracts that hold xSigma Corporation’s own funds and do not have any connection to LPs’ or users’ funds. xSigma Corporation funds these contracts to reimburse gas and subsidize transactions. Using unsafe math operations minimize gas usage and don’t have any impact from a security standpoint.
While we’re pleased to have passed Hacken’s rigorous audit with no critical issues identified, we will be undergoing at least two other audits by third party security companies in Q2 2021. This will ensure that nothing slips under the radar, and will give our community even greater confidence that xSigma’s code has been checked by the best blockchain auditors.
xSigma Lab Team.