Smart contract security is paramount for any decentralized application that holds or controls the flow of users’ hard-earned funds.
While we at OctoFi have written our code with care and prioritized security, software bugs are an inevitable fact of life for even the most diligent of development teams.
Undergoing a security audit by a highly respected and thorough third party is of the utmost importance to ensuring our smart contracts run as designed. It also gives our users the confidence needed to deposit any amount of their cryptocurrency into the OctoFi Ecosystem.
OctoFi smart contracts on the Ethereum blockchain have undergone some basic automated security audits. Full smart contract security audits will be commissioned via 3rd party pending governance vote.
In the audit process, the following crucial features of the code are considered:
- Whether the code conforms to the specification.
- Whether the code meets best coding practices.
- Whether the code is secure.
The audit was done according to the following procedure:
- Scan of project’s code base with Automated Scanner (Mythril, Slither, Solhint, HoneyBadger)
- Manually verification (reject or confirm) all the issues found by tools (SWC-Registry, Overflow)
- Inspection of the code and revert the initial algorithms of the protocol and then compare them with the specification
- Manually analyze the code for security vulnerabilities
- Reflect all the gathered information in a report
OCTO Token (ERC20) based on Ethereum
Source: GitHub1 Etherscan2
MythX (Tool by ConsenSys)
Findings: 3 (LOW)
Findings: 2 (LOW)
OCTO Yield Smart Contract based on Ethereum
MythX (Tool by ConsenSys)
Findings: 1 (LOW) 1 (MEDIUM)
Findings: 13 (LOW)
A majority of the code was standard and copied from widely-used and reviewed contracts and as a result, a lot of the code was reviewed before. It correctly implemented widely-used and reviewed contracts for safe mathematical operations.
The audit identified no major security vulnerabilities, at the moment of audit. A majority of the functions were self-explanatory, and standard documentation tags (such as @dev, @param, and @returns) were included.
The libraries used are based on OpenZepplin codebase, such as Roles, IERC20, SafeMath, SafeERC20 etc.
The audit does not give any warranties on the security of the code. One audit cannot be considered enough. It’s always recommended proceeding with several independent audits and a public bug bounty program to ensure the security of the code. Besides, security audit is not an investment advice.