The team has engaged Runtime Verification Inc to conduct a security audit of the protocol implementing lending-and borrowing-related operations in the Folks Finance application.
The security audit consisted of two phases:
- Design review, completed on September 27, 2021 (2 weeks). The main objective of this review was to develop a deeper understanding of the business logic of the application and prepare for the full-blown security audit of the implementation of the protocol as smart contracts written in PyTeal.
- Code review, completed at the end of January 2022 (4 weeks). The code review was focused on reviewing the contracts’ business logic and implementation in PyTeal and identifying any discrepancies in the design and potential code issues that could potentially cause the system to malfunction or be exploited.
During the design review, Folks Finance was described by Runtime Verification as “very well thought out and the design document well structured and written”; the reviewer offered suggestions for further refinement of the protocol focusing in particular on the Whitelisting of the New Markets and Flash Loans. To find out all the suggestions and issues covered in the design review read the Runtime Verification official report.
The code audit identified and highlighted a few bugs. Only one of those has been evaluated as critical due to an error in a smart contract missing check; these issues and concerns were easily addressed by Folks Finance developers, who incorporated all necessary changes into the smart contracts.
Despite the complexity of the protocol, Runtime Verification highlighted the implementation was well structured and documented and the code was of very high quality.
All changes made to the implementation in response to the comments raised were reviewed.
The fully detailed Runtime Verification Audit Reports are publicly available on the company GitHub:
Folks Finance CTO, Gidon Katten, commented as follows:
“We would like to thank Runtime Verification for their support throughout the audit process. The closure of the audit is another important milestone towards the launch of Folks Finance Mainnet and is a testimony to our commitment to building a protocol with security at its core!”
About Runtime Verification
Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services, and products to improve the safety, reliability, and correctness of software systems in the blockchain field.