Skip to main content

Decentralized Finance

Classification: Restricted

Stage: Enquiry stage (40)

Introduction:

The Web3 Security Framework Initiative is a collaborative effort to promote the adoption of best practices in web3 security. The initiative aims to minimize the risks associated with security vulnerabilities and hacks, which have become increasingly prevalent in the web3 space. Moreover, projects that demonstrate full compliance with our rigorous guidelines will earn an on-chain certificate recognized by all the AvengerDAO members on the BNB Chain ecosystem.

This document serves as a comprehensive checklist of the critical elements surrounding the secure development of DeFi decentralized applications.

Item IDSecurity CheckCriticalityIs Project Compliant?Comments
1General
1.1Verify that the decentralized application (Dapp) does not assume users can only send tokens using its smart contract functions. Tokens can be sent using the token smart contract transfer function or a self-destruct mechanism.TBD
1.2Certify the separation of the deposit logic from the reward calculation as reserves might impact the calculation.TBD
1.3Certify there are mechanisms to pause the contracts in case of the detection of a compromised dependency such as oracles.TBD
2Oracle based services
2.1Spot price manipulation
2.1.1When using an on-chain price calculation mechanism, certifying the price of an asset cannot be manipulated in the same transaction, manipulating the source data, via flash loans for instance.TBD
2.1.2Ensure the on-chain price calculation does not rely on sources with low liquidity, such as limited liquidity pools.TBD
2.1.3Certify the usage of a secure calculation mechanism such as time-weighted average prices.TBD
2.2Centralized Oracles
2.2.1Entrusting centralized entities with the responsibility of feeding data to smart contracts is risky. Only rely on such service as last resort. In such, cases, important due diligence can be done such as: Certify the entity's reputation and data correctness.TBD
2.2.2Verify they aren’t using data from other sources without proper verification.TBD
2.2.3Verify the centralized actor cannot be incentivized to push altered data to the data source.TBD
2.3Off-chain Oracles
2.3.1Such oracles ensure the aggregation of off-chain data and validate them prior to pushing them on-chain. Such services rely on regular web2 infrastructure and before using their services, it is important to certify they are secure against any vulnerability described in the OWASP vulnerability catalog and that they follow Coding Securing Guidelines.TBD
2.4On-chain Oracles
2.4.1Ensure the on-chain oracle solution uses a community-driven dispute mechanism, pre-commit, or any feedback mechanism that enables a second layer validation prior to pushing data on-chain.TBD
3Lending Pools
3.1Ensure only a specific function in the lender smart contract is called when performing a flash loan.TBD
3.2Prevent reentrancy attacks in your flash loan function.TBD
3.3Certify the mechanism calculating the number of tokens before and after the loans is not vulnerable.TBD
3.4Verify that it is not possible to withdraw tokens from the pool balance, during a flash loan.TBD
4Liquidity Pools
4.1Ensure that the asset price calculation mechanisms cannot be attacked by price oracle manipulation.TBD
4.2Verify calculations are done with enough precision decimals.TBD
4.3If using an external oracle, certify the service provider is trustworthy.TBD
4.4A pause mechanism to prevent service to continue working in abnormal conditions.TBD
4.5Ensure LP with deflationary tokens use a secure mechanism to update their rate and it cannot be updated in the same transaction.TBD
5Governance
5.1Verify if the decentralized application governance smart contract has a mechanism to prevent malicious actors from obtaining and controlling a majority of governance tokens in the market via flash loans.TBD
5.2Ensure the contract is a Governance standard that has been fully tested.TBD
5.3Ensure secure management of the project via a DAO or a multisig contract.TBD
5.4Certify the counting of votes is done correctly and according to what has been stipulated in the protocol.TBD
5.5Ensure the usage of delays and interruption mechanisms exist in case of unexpected situations.TBD
5.6Prioritize the usage of a 2-step transfer mechanism for governance tokens to address flash loan attack risks.TBD