If you notice some outdated information please let us know!
Process Quality Review (0.9)
Frax Finance
PASS
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here are my smart contract on the blockchain(s)
- Here is the documentation that explains what my smart contracts do
- Here are the tests I ran to verify my smart contracts
- Here are all the security steps I took to safeguard these contracts
- Here is an explanation of the control I have to change these smart contracts
- Here is how these smart contracts get information from outside the blockchain (if applicable)
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Code and Team
83%
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
Finding the list of contracts is easy enough. In the docs under Smart Contracts you click on All Contracts. This and the pages below supply all contract addresses.
2. Does the protocol have a public software repository? (Y/N)
3. Is the team public (not anonymous)?
There are more than two public contributors to the GitHub of Frax finance. This gives a score of 100%.
4. How responsive are the devs when we present our initial report?
No response from devs.
Code Documentation
33%
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
No white paper could be found. The description in the docs by not specific enough to the software to be considered a white paper equivalent.
6. Is the protocol's software architecture documented? (%)
The Frax Finance protocol has some documentation available that partially describes the software architecture. The documentation includes information about the functions of the protocol, such as the use of AMO contracts and real-world assets to stabilize the FRAX price, as well as the use of governance actions through frxGov. It also provides information such as the FXB AMO contract address. However, the documentation does not appear to include a detailed software architecture diagram with an accompanying explanation. The documentation does mention technical specifications, but it states that these can be found on Github and the repository is not public at the time of the documentation. Therefore, the score is 75%, indicating a basic block diagram outlining the software aspects is present, but a detailed software architecture diagram with an accompanying explanation is not.
7. Does the software documentation fully cover the deployed contracts' source code? (%)
The source code has limited commenting. The commenting is not consistent. The documentation contains significant description of the logic and flow of the protocol. However, this description is not applied to the actual software code. Overall a software documentation score of 40% seems appropriate.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
There is very little connection between the documentation and the code. There is not even a list of the functions in the documentation. As such this protocol is considered to have no trace ability and a score of 0% is the result.
9. Is the documentation organized to ensure information availability and clarity? (%)
The information that exists is very well organized. However, since there is virtually no software documentation we cannot give a score of 100%. 50% seems appropriate.
Testing
38%
This section covers the testing process of the protocol’s smart contract code previous to its deployment on the mainnet. The document explaining these questions is here.
10. Has the protocol tested their deployed code? (%)
Test to Code = 79538 / 111753 = 71% Score 40%
11. How covered is the protocol's code? (%)
We could not find an output of code coverage. Given that the test to code ratio is only 71%, a score of 30% is relevant as per guidance.
12. Is there a detailed report of the protocol's test results?(%)
In the README_TESTS file there is a test report of sorts. It includes how to run the tests and appears to have an output of a complete test run. This output merely lists the test files that were run with no results or indication of pass or indication of coverage. Based on this output a score of 60% is given.
13. Has the protocol undergone Formal Verification? (Y/N)
No evidence of formal verification was found.
Security
83%
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
With multiple audits from a top notch auditor, the list of audits is excellent. Score 100%.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
The list of audits has the date auditor and what aspect of Fraxs finance was audited. The audits go back to 2020. Probably, these audits are no longer relevant. This information is missing. This is the critical information that we want a matrix of applicability to answer. For this reason, a score of 40% is given.
16. Is the bug bounty value acceptably high (%)
Frax Finance has an excellent bug bounty program. The payouts are high and response time is committed as quite quick. It is a self managed system, not an active program run by a third party. For this reason a score of 80% is given as per our guidance.
17. Is there documented protocol monitoring (%)?
Based on the provided documents, there is no evidence of any on-chain monitoring. The documents mostly discuss token distribution, price indexes, and cross-chain bridging, but there is no explicit mention of protocol monitoring, threat surveillance, or incident response mechanisms.
18. Is there documented protocol front-end monitoring (%)?
Based on the provided documents, there is no evidence of any on-chain monitoring. The documents mostly discuss token distribution, price indexes, and cross-chain bridging, but there is no explicit mention of protocol monitoring, threat surveillance, or incident response mechanisms.
Admin Controls
88%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
The code is upgradeable through governance. There is no mention of a timelock. Therefore a score of 70% as per revised governance.
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
In the Major Components diagram it is clearly indicated that the software is upgradeable via governance. This gives a score of 100%.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
Admin control is through Governance and process clearly explained, therefore a score of 100%. Note: this takes advantage of a guidance upgrade which will be pushed to the website shortly that takes into consideration admin control via governance.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
Admin control is through Governance and process clearly explained, therefore a score of 100%. Note: this takes advantage of a guidance upgrade which will be pushed to the website shortly that takes into consideration admin control via governance.
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
Admin control is through Governance and process clearly explained, therefore a score of 100%. Note: this takes advantage of a guidance upgrade which will be pushed to the website shortly that takes into consideration admin control via governance.
Oracles
100%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
24. Are Oracles relevant? (Y/N)
The Frax Protocol employs price feed oracles. The protocol relies on an Oracle to determine the market rate for both the Asset Token and the Collateral Token. These Oracles combine price feeds from multiple places, which helps to achieve a robust and manipulation resistant price feed. Additionally, each pair can be deployed with a Rate Calculator which calculates the interest rate based on the amount of available capital to borrow. It is clear from the protocol's documentation that oracles play a key role in its operation.
25. Is the protocol's Oracle sufficiently documented? (%)
The Oracle of the Frax protocol is sufficiently documented. The documentation provides an overview of the Frax Oracle, explains the motivation behind its design, and outlines its major components, such as the Dual Oracle / Price Source contract that fetches prices from two different on-chain sources. It also explains how the Frax Oracle stores prices that can be retrieved in the Chainlink style or the Fraxlend style. The Oracle updates its price feed once per day per supported asset. The documentation also details how Oracle manipulation attacks are handled economically and provides contract addresses for the Dual Oracles / Price Sources and the Frax Oracles.
26. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
The Frax Finance protocol has implemented countermeasures against flashloan attacks. The protocol uses Oracles which combine price feeds from multiple sources to achieve a robust and manipulation-resistant price feed. This makes it difficult for flash loans to manipulate liquidity in the protocol's vaults to affect Oracle-reported prices. Furthermore, the protocol handles Oracle manipulation attacks economically, stating there is too much protocol-owned liquidity for manipulating the Curve / Uniswap pools to be profitable. In addition, Frax Finance offers one of the largest bounties in the industry for exploits where user funds are at risk or protocol controlled funds/collateral are at risk, serving as a deterrent for potential attackers.