If you notice some outdated information please let us know!
PASS
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
The deployed smart contract addresses for the protocol are easily accessible and clearly labeled. Pool Together docs, then Smart Contract Deployments Link: https://dev.pooltogether.com/protocol/deployments/mainnet
2. Does the protocol have a public software repository? (Y/N)
Location: https://github.com/GenerationSoftware
3. Is the team public (not anonymous)?
The team is public, as indicated in the GitHub.
4. How responsive are the devs when we present our initial report?
Devs responded quickly.
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
Yes there is an equivalent white paper.
6. Is the protocol's software architecture documented? (%)
Yes, there is an excellent system architecture document with good drawings. It is not formal requirements that it is a very clear top level description with flow diagrams.
7. Does the software documentation fully cover the deployed contracts' source code? (%)
Excellent code documentation is provided.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
The documentation allows implicit traceability to a fine level of detail. Each function and variable has a reference. However this is not full requirement documentation. It is certainly equivalent to excellent autogen documents. 80%
9. Is the documentation organized to ensure information availability and clarity? (%)
This documentation is very well organized.
10. Has the protocol tested their deployed code? (%)
Test to Code is 3163 / 1271 = 248% which gives a 100% score. ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── JavaScript 2 1271 204 484 583 69 ─────────────────────────────────────────────────────────────────────────────── Total 2 1271 204 484 583 69 ─────────────────────────────────────────────────────────────────────────────── Estimated Cost to Develop $15,330 Estimated Schedule Effort 2.811396 months Estimated People Required 0.484441 ─────────────────────────────────────────────────────────────────────────────── Processed 45068 bytes, 0.045 megabytes (SI) ─────────────────────────────────────────────────────────────────────────────── C:\Users\Rex\Sync\DeFiSafety\DeFiSafety Common\Products\Processs Quality Reviews\Reviews\0.9\PoolTogetherv5\Flattened>cd C:\Users\Rex\Sync\DeFiSafety\DeFiSafety Common\Products\Processs Quality Reviews\Reviews\0.9\PoolTogetherv5\TestingEnv C:\Users\Rex\Sync\DeFiSafety\DeFiSafety Common\Products\Processs Quality Reviews\Reviews\0.9\PoolTogetherv5\TestingEnv>scc.exe ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── JavaScript 19 2755 735 139 1881 18 Gherkin Specificati… 5 408 34 12 362 33 ─────────────────────────────────────────────────────────────────────────────── Total 24 3163 769 151 2243 51 ─────────────────────────────────────────────────────────────────────────────── Estimated Cost to Develop $63,090 Estimated Schedule Effort 4.812837 months Estimated People Required 1.164611 ─────────────────────────────────────────────────────────────────────────────── Processed 105449 bytes, 0.105 megabytes (SI) ───────────────────────────────────────────────────────────────────────────────
11. How covered is the protocol's code? (%)
Based on this report there is 97% coverage.
12. Is there a detailed report of the protocol's test results?(%)
Coverage report is available, with report on test run
13. Has the protocol undergone Formal Verification? (Y/N)
No evidence of formal verification.
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
The PoolTogether protocol's smart contracts have undergone multiple audits by independent third parties prior to deployment. The audits have been performed on different versions (V3, V4, V5) of the protocol. The audit reports are publicly accessible and are listed on the PoolTogether [website](https://docs.pooltogether.com/security/audits, https://docs.pooltogether.com/security/risks). In addition, there is a commitment to continue having audits as the protocol grows.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
The PoolTogether protocol has an audit trail of the different versions of their contracts. The audit list clearly indicates which audits are applicable to which versions. This meets the intent of the document and will get a score of 100%. However, it does not provide a comprehensive matrix that outlines the extent of deployed code covered by these audits. Additionally, the protocol acknowledges that not all of the deployed code has been formally audited.
16. Is the bug bounty value acceptably high (%)
The protocol offers a Bug Bounty program, but the value of the bounty is up to $25,000, which is less than the $50,000 threshold. The Bug Bounty program is active and incentivizes vulnerability disclosures, as stated on the website.
17. Is there documented protocol monitoring (%)?
No evidence was found in the provided documentation to suggest that PoolTogether Protocol has a system for continuous surveillance of its protocol components to preempt potential threats. Neither does the documentation show that the protocol possesses an incident response process to address potential security breaches. No references were found to prominent entities in the protocol monitoring domain such as Forta, CipherTrace, Chainalysis, and Elliptic.
18. Is there documented protocol front-end monitoring (%)?
The provided documentation does not mention any measures implemented for front-end monitoring such as DDOS Protection, DNS steps to protect the domain, Intrusion detection protection on the front end, or Unwanted front-end modification detection.
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
The core protocol is immutable, as noted in Hyperstructure section.
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
The core protocol is immutable, as noted in Hyperstructure section. It is clearly explained here.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
The core protocol is immutable, as noted in Hyperstructure section. Because the core protocol is immutable with no admin capabilities, there are no admin roles.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
The core protocol is immutable, as noted in Hyperstructure section. Because the core protocol is immutable with no admin capabilities, there are no admin roles. With no admin roles, there are no signers.
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
Based on the provided documentation, there is no evidence of a transaction signing policy. The PoolTogether protocol's ethos of decentralized finance replaces humans with immutable software, therefore, it does not require transaction signing due to its unchangeable structure and code. As there are no signers a transaction signing policy is not required. 100%