In Code We Trust
Dear frens,
The shockwaves which the insolvency of FTX sent throughout the crypto space is a bitter-sweet testament to the value proposition of DeFi. The misappropriation of user funds by one of the most recognized CEXes out there is truly a reminder of the ancient wisdom “Not your keys, not your funds”.
As investors and retail once again heal their wounds, the public awareness is growing. Inevitably, the realization that no centralized party can fully be trusted is gaining ground. While DeFi eliminates the middleman, however, it is misleading to say that it is completely trustless by nature. What DeFi really does is to shift trust away from opaque third parties to open source code which can be verified by anyone.
“In code we trust” is a daring statement which puts extraordinary responsibility on the teams who ship the code. As we well know, the smallest mistake will be punished and can result in multi-million dollar exploits. This highlights the importance of audit procedures - external reviews of the code and its underlying logic conducted by independent parties.
With that said, we are happy to announce that HydraDX has successfully completed two rounds of audits which were conducted by industry leaders. In September 2022, Runtime Verification published its audit of the HydraDX Omnipool Runtime (full report). Half a year earlier - in March 2022, BlockScience finished its economic/math audit of the Omnipool (full report, including addendum with post-factum changes).
For a brief summary of the scope of the audits and their most important findings, please continue reading.
Runtime Security Audit
The security audit of the runtime implementation of the HydraDX Omnipool was performed by Runtime Verification - an industry leader with clients such as NASA, Ethereum and Polkadot.
The scope of the audit includes the source code of HydraDX Omnipool pallet, its mathematical logic and asset registry. Also covered are 3rd party libraries which have been included as a (Substrate) dependency. Excluded from the scope of the audit are any deployment and upgrade scripts, front-end and other off-chain code.
Besides examining code robustness and trying to detect security issues, the audit made sure that the implementation of operations relating to the Omnipool follows the math specification provided by our Research department including any rounding errors, (in)correct balance updates, and others.
You can consult the full report here.
Summary of Findings
Overall, the parties involved in the runtime audit were positively surprised by the state of readiness of the HydraDX Omnipool. The 102-page audit reflects this. In total, 11 potential vulnerabilities were found across the examined codebase and its dependencies. Despite two of them being classified as high severity, we would like to note that their exploit would not have been economically feasible.
The HydraDX team addressed all of the identified vulnerabilities and shipped fixes (which were confirmed by Runtime Verification) for the ones that were caused by code developed by HydraDX. It is important to point out that some of the vulnerabilities were not facilitated by code in “our” repositories, but by third-party dependencies introduced by Substrate (e.g. here). Currently, there are just a couple of vulnerabilities in Substrate dependencies left which have not yet been fixed as per Polkadot version 0.9.29.
Economic and Mathematical Audit
The audit of the Omnipool specification was conducted by BlockScience - a leading web3 native firm dedicated to analyzing complex systems for the likes of Graph Protocol and Protocol Labs (Filecoin).
The scope of this audit was to provide an overview of the AMM specification with a special attention to the mathematical and economic concepts underpinning the Omnipool, together with the implications of those mechanisms for liquidity provisioning and trading activity.
You can find the full report together with our addendum here.
Summary of Findings
The analysis concludes that the Omnipool’s mechanisms for adding and removing liquidity and conducting trading operations between assets (including the hub-token LRNA) are functioning as intended and they provide the required properties to assess the performance and efficiency metrics on impermanent loss and slippage.
To note, following the completion of this audit in March 2022, our team made several small adjustments to the Omnipool specification following the identification of issues during the security audit. The first adjustment concerns the use of the spot price for the calculation of the TVL cap, while the second one relates to the fee mechanism which is used to stabilize the price of LRNA. These changes have not been reviewed by BlockScience. For more details please refer to our addendum to the audit report (pp 46 et seq).
Concluding Thoughts
We believe that audits are an indispensable part of the security strategy of any chain. For this reason, the HydraDX team is a vocal advocate of making audits more accessible to all parachains in the Polkadot ecosystem by organizing team-overarching funding and working with auditors to get their Substrate game up and going.
The second line of defense in the security strategy of HydraDX is our incentivized bug bounty program. We are working with Immunefi - another industry leader in the field of blockchain security, to set up a comprehensive system of incentives which rewards the responsible disclosure bugs and potential exploits in accordance with their severity.
The third and final line of defense is targeted function pausing. If both audits and the bug bounty program fail to prevent an exploit from materializing itself, the HydraDX Technical Committee is in the position to swiftly take action and temporarily pause certain transactions on the chain relating to some or all assets in the Omnipool. As part of future iterations, we are currently looking into mitigants such as reliable oracles, dynamic fees, transaction throttling and other usage of circuit breakers.
In the upcoming days, we will be releasing some important updates concerning the final steps which our tribe needs to make in order to facilitate the upcoming launch of the HydraDX Omnipool.
Until then,
Stay SAFU
(and hydrated).