Skip to content
This repository has been archived by the owner on Aug 28, 2024. It is now read-only.

Security

Jump to bottom
Devan Purhar edited this page Nov 22, 2019 · 4 revisions

The smart contracts passed multiple rounds of auditing by Trail of Bits, a leading security research team.

Trail of Bits Audit Report

The code is also open for review here.

Vulnerability Disclosure Policy

The disclosure of security vulnerabilities helps us ensure the security of our users.

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our contracts or platforms, send it to us by emailing security@staked.us. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability

Scope

Identify an original, previously unreported, non-public vulnerability within the scope of RAY as described below.

The primary scope is focused on vulnerabilities affecting the RAY smart contracts, deployed to the Ethereum Mainnet, for contract addresses listed in the developer documentation and used by the current RAY on-chain system.

This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts integrated with RAY by third-party developers are not in-scope, nor are vulnerabilities that require ownership of an admin key.

The secondary scope is for vulnerabilities affecting the RAY User Interface hosted at https://staked.us/v/robo-advisor-yield/ that could conceivably result in exploitation of user accounts.

Finally, test contracts (Kovan and other testnets) and staging servers are out of scope, unless the discovered vulnerability also affects RAY on Mainnet or the production Interface or could otherwise be exploited in a way that risks user funds.

Guidelines

We require that all reporters:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
  • Use the identified communication channels to report vulnerability information privately to Staked
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Staked until we’ve had 30 days to resolve the issue

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your findings
  • Work with you to understand and resolve the issue quickly, including an initial confirmation of your report within 72 hours of submission.
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
Clone this wiki locally