Technical Risk

Technical risk comprises five categories: Code security, Documentation, Testing, Audit Quality, and Access control. Let's delve into the significance of each category below.

Code security

Weight: 25%

Evaluation: This focuses on the protocol's smart contract coding quality and whether it is battle-tested. Examples of factors to consider include code availability and accessibility, coding standard adherence (e.g., EIP), contract upgradability as well as the contract activity level.

An automatic scan is also performed on the latest version of the protocol's smart contracts to identify any potential vulnerabilities. This is to supplement the result of the external auditors, which may not be conducted on the latest version of the contract.

Sample Question:

• Upgradability:

  • Are relevant contracts upgradeable or immutable? Are they clearly labelled?

  • Are the smart contract change capabilities clearly defined? Are these clearly described in the documentation?

Documentation

Weight: 10%

Evaluation: This is about examining the coding documentation's quality which is a critical reflection of a development team's quality and professionalism. It provides valuable insights into their approach, attention to detail, and commitment to delivering robust and maintainable software solutions. A thorough assessment of the protocol's development history and documentation is undertaken, which encompasses an in-depth review of the project's GitHub repository, a comprehensive evaluation of the protocol architecture documents, and an inspection of the source code documentation. These measures are implemented to ascertain that the documentation adequately covers the deployed contract and the consistency between documentation and implementation.

Sample Question:

• Source Code Documentation:

  • Is the coding documentation fully updated?

  • Is the deployed contract's source code consistent with the coding documentation?

Testing

Weight: 15%

Evaluation: Testing is a crucial step in the development of DeFi protocols. It involves verifying the protocol's code in a controlled environment, ensuring it behaves as expected. The scope and thoroughness of testing can provide insights into the protocol's resilience against potential issues, serving as a significant indicator of code quality and the professionalism of the development team.

In evaluating a protocol's testing adequacy, key factors include the testing coverage, methodology, and reports, along with whether the protocol has been extensively deployed on a testnet prior to Mainnet launch. Through this comprehensive assessment, a more accurate evaluation of a protocol's technical risk can be achieved.

Sample Question:

• Test Coverage:

  • Has the protocol conducted testing on their deployed code, and what percentage of the protocol's code is covered by these tests?

  • Is there a detailed test report?

  • Were the smart contract deployed to a testnet for public testing?

Risk Management

Weight: 30%

Evaluation: Risk management refers to the thoroughness and reliability of the audit performed on a DeFi protocol's codebase. An audit is a comprehensive review of a protocol's code by external experts to identify potential vulnerabilities or errors. High-quality audits are essential in DeFi, as they provide a level of assurance that the protocol has been rigorously checked for security issues.

In evaluating Audit Quality, the focus is on the number of audits the protocol has undergone, the credibility of the auditing firms involved, and whether the most recent version or changes to the protocol have been audited. Furthermore, other factors such as bug bounty program, the attractiveness of the rewards, and whether the protocol has undergone Formal verification. This assessment provides insights into the protocol's commitment to security and the effectiveness of its measures to prevent potential exploits

Sample Question:

• Audit History:

  • Has the protocol undergone sufficient auditing, including the latest version or changes?

  • Are there any unresolved critical issue in the audit reports?

  • Is the audit firm responsible for assessing the protocol reputable and considered high-tier within the industry?

Access Control

Weight: 20%

Evaluation: Access control is a key factor in the security of DeFi protocols. It determines who has the authority to make changes to the protocol, including potential upgrades or modifications. A clear, well-structured access control framework can help prevent unauthorized or malicious changes, adding an extra layer of security to the protocol. This is particularly important in decentralized finance, where large amounts of funds can be at stake.

When assessing access control, consideration is given to the clarity of the smart contract ownership, the transparency of the protocol's admin control information, and the safeguards in place to prevent misuse. This includes examining how the protocol defines and manages its ownership and whether its admin control information is easy to find and understand. This assessment aids in providing a well-rounded understanding of a protocol's technical risk.

Sample Question:

• Admin Control:

  • Is the information regarding the protocol's administrative control easily accessible and comprehensible?

  • Is the admin key multi-sig/mpc-based?