Defi Safety ReviewThe Results From Tracer's DeFi Safety Review
Recently, an independent review of the Tracer protocol took place by DeFi Safety - an independent ratings organization that evaluates Decentralized Finance products to produce an overarching security score based on transparency and adherence to best practices.
We are pleased to announce that the results of this review puts Tracer in the top 25 reviewed protocols with the likes of Balancer, Aave and Gnosis safe. Let's take a closer look at what the report entails.
The Review Process
First, it should be known DeFi Safety does not perform code audits. Instead, they review the quality of process and documentation behind the code, of which audits are only a part. For those interested in the Perpetual Pools code audit see the Sigma Prime Audit.
Questions from the review
The report states: "This is a Tracer Finance Process Quality Review completed on 14/10/2021. It was performed using the Process Review process (version 0.7.3) and is documented here.
There are 5 categories within the review including the code & team, documentation, testing, security and access control.
With the exception of Q14, Q15, Q21, Q22, each question passed with flying colours. More granular details of the report can be found here: Tracer Finance Process Quality Review.
Code and the Team
- Are the executing code addresses readily available? 100%
- Is the code actively being used? 100%
- Is there a public software repository? 100%
- Is there a development history visible? 100%
- Is the team public (not anonymous)? Yes
- Is there a whitepaper? Yes
- Are the basic software functions documented? Yes
- Does the software function documentation fully (100%) cover the deployed contracts? 100%
- Are there sufficiently detailed comments for all functions within the deployed contract code? 100%
- Is it possible to trace from software documentation to the implementation in code? 60%
- Is there a Full test suite? 100%
- Code coverage (Covers all the deployed lines of code, or explains misses) 100%
- Scripts and instructions to run the tests? Yes
- Report of the results. 0%
- Formal Verification test done. 0%
- Stress Testing environment. 100%
- Did 3rd Party audits take place? 90%
- Is the bounty value acceptably high? 100%
- Can a user clearly and quickly find the status of the access controls? 100%
- Is the information clear and complete? 90%
- Is the information in non-technical terms that pertain to the investments? 30%
- Is there Pause Control documentation including records of tests? 20%
Response from the Tracer
We will now respond to the questions in concern for full transparency.
- Report of the results
The team will be adding an auto generated report of the test results to the repository. For now, if you wish to run the tests, you can use yarn test to do so.
- Formal Verification test done
No formal verification has been done on the codebase. We are currently finalising our V2 codebase with Runtime Verification. At the tail end of this audit we plan to have some more rigid loop invariants and to have performed more formal verification of the codebase.
- Is the information in non-technical terms that pertain to the investments?
The team will be releasing more documentation and an article outlining multisig control in Perpetual Pools V1, and how this is changing in Perpetual Pools V2.
- Is there Pause Control documentation including records of tests?
Much like above, this will be documented in an article released outlining some of the multisig use in Perpetual Pools V1 and V2.