Inside Minterest’s Security Audits

Decentralised Finance (DeFi) platforms are swiftly evolving, reshaping how we perceive financial systems. Smart contracts, crucial to the DeFi ecosystem, facilitate transactions, lending, and yield farming. However, this rapid pace of development also introduces numerous risks, notably vulnerabilities in smart contracts. Such weaknesses could lead to devastating hacks, asset loss, and dwindling user confidence.

From the outset, the security of Minterest users has been a cornerstone focus. As a result, we’ve partnered with top-tier code auditing firms to fortify Minterest smart contracts, identify vulnerabilities, and continually refine internal security measures.

The Evolution of Minterest’s Security Audits

In early 2022, Minterest underwent three successive audits aimed at iteratively refining the underlying codebase before its Ethereum mainnet launch. This approach led to the rapid maturation of the protocol. As the team developed new systems later in the year, additional audits became imperative.

Timeline and Takeaways

Trail of Bits, March 2022

The first security audit was conducted by Trail of Bits, a highly respected firm trusted by industry leaders like Compound, Aave, and MakerDAO. The audit scrutinised all protocol contracts and flagged 17 issue — two of which were critical, such as MEV attacks affecting liquidation logic and the risk of lost user rewards.

During the remediation phase, we addressed all 17 issues and optimised gas costs. We even re-engineered the liquidation system to be resistant to MEV attacks. This audit served not just as a problem-solving endeavour, but also as a catalyst for elevating our engineering practices and workflows, resulting in a marked enhancement in code quality for future audits.

Hacken, April 2022

The second audit was with Hacken which covers prominent projects like Binance and 1Inch. By this time, Minterest’s codebase had expanded since the first audit, yet Hacken scored us a perfect 10 out of 10. The issues identified had been reduced to 10, all but one of which were resolved during the remediation phase, with the final issue fixed before the next audit.

PeckShield, June 2022

PeckShield carried out the third audit. PeckShield is known for their work on  Polygon, Avalanche, among others in their extensive portfolio. By this time, the scope included all contracts, including those which were unchanged from the previous audit. Their overall assessment of the code maturity level had improved, described as “well-designed and engineered.” They listed only 7 minor issues in their final report, and all of them were promptly addressed during the remediation stage.

Zokyo, November 2022, February 2023, March 2023

In the most recent audit phase, Zokyo conducted one full audit and two partial reviews, awarding Minterest a high safety score of 96 out of 100. The first review scrutinised the entire code base, setting the stage for Minterest’s secure deployment on the Ethereum mainnet. The subsequent audits focused on last-minute updates and patches.

The Zokyo team played a key role in the protocol’s mainnet launch, overseeing last-minute patches and confirming their safety. While most findings were recommendations for future enhancements, a few potential exploits were identified but mitigated using business flows and tooling instead of needing to alter the core code. The audits affirmed the robustness of the protocol, providing an added layer of confidence for Minterest users.

Safety and Security, a Priority

Minterest has been scrutinised by some of the industry’s leading security engineering teams, providing invaluable insights that have elevated not just the Minterest codebase but also the team’s engineering culture. Regular audits will remain a cornerstone of Minterest’s development pipeline, reinforcing the security of assets for all users.

We hope this comprehensive article provides you with a deeper understanding of the intense time, effort, and resources used to develop the Minterest protocol, ensuring a high bar for security is always maintained.

04, September 2023