Contract Security and Quality Assurance

Industry best practices in testing, diligence, and outside experts — all coming together as we build, launch, and use the platform

  • Building a secure network from the ground up
  • Reinforcing its strength 

DeFiner writes the Ethereum smart contracts in the Solidity language. These smart contracts are the core components of our non-custodial decentralized savings contracts. To ensure security and quality, we are following these best practices:

Migration scripts for different networks

We write migration scripts for different networks. This allows us to quickly deploy our contracts over these networks. These networks include:

  • Local Ganache
  • Testnet
    • Rinkeby
    • Geroli etc.
  • Mainnet forked Ganache
  • Mainnet

Writing Test Cases

We write the test cases in truffle framework to test each functionality of the contracts. For this testing, we are going to use TypeChain along with truffle. TypeChain allows us to write test cases more efficiently and quickly. We write Unit tests as well as integration tests to ensure the quality of the code.

Code Coverage

We generate code coverage reports using continuous integration. We plan to ensure the code coverage of more than 80% of the code.

Gas Cost Analysis

We use gas cost analyzers to find the gas cost incurred by the functions. We use this report to improve the gas consumption of the contract functions.

Testing with Mainnet forked Ganache

The unit and integration test cases that we write are mostly for local Ganache instances. However, as we are going to use Compound as an external contract, we plan to test our contracts with Mainnet-forked-ganache as well. This allows us to mimic the Ethereum mainnet behavior of our smart contracts.

Code Linting

There are some code linters available for Solidity. We are going to use “Solhint” and “Solium” to lint our Solidity code. These tools will help improve the quality of the code and remove the minor issues.

Continues Integration (CI)

We set up a Continues Integration (CI) environment to test the contracts when there are any new changes that are done in the code or in test cases. With this CI integration, we also generate our code coverage reports.

Security of Smart Contracts

Security of the Ethereum smart contracts is essential. To improve the security of the contract, we are going to do the following best practices:

Static Analysis

We are going to use the following static analysis tools available for Solidity language.

These tools will help us improve the security of our contracts as they report possible vulnerabilities in contract code.

Surya Reports

The Surya tool is helpful in understanding different behavior of the contracts. We will generate different Surya reports and analyze them to ensure the quality of the code. These reports include:

  • Inheritance graph for contract architecture and inheritance
  • Mdreport to understand the different modifiers of the contract functions

Fuzzing

We will follow the advanced security auditing tools to find corner cases. Echidna is one of the best fuzzers in the market to ensure that the contract’s invariants are working as expected. These tools fuzz the contract with many arbitrary inputs and report any failures of invariants.

External Security Audit

After completing all the above steps, a third party will perform an external security audit of the contracts.

Launch

Testnet Launch

We first will launch our products on the testnet to allow users and the DeFiner team to test the contracts on the testnet environment. This step allows us to improve the quality of the code and find the bugs which were not discovered during the previous steps.

Pre-launch Bug Bounty

We will launch bug bounties before any beta launch. This is to invite all the whitehat hackers to test our contracts and report any vulnerabilities.

Beta Mainnet Launch

After the external security audit, we will launch the beta version of our product on the Ethereum mainnet. This opens it for general users to try and test our product.

Post-launch Bug Bounty

Finally, after a beta launch, we will open the post-launch bug bounty program. This bounty will be an ongoing program.

If you have any other questions about security, see our section Users' Funds Security in the Get Started section of the Help Center. 

***

Related Articles

All Loans Secure Through Over-collateralization 

How do I get started with DeFiner?

Getting Started with a DeFiner Savings Account

Getting Started with DeFiner Peer-to-Peer Lending