We are pleased to announce that Runtime Verification has successfully completed Folks Finance’s protocol design review.
The team has engaged Runtime Verification Inc, a leader in the sector, to conduct the protocol security audit, which consists of the design review and, subsequently, the code review. The design review specifies a decentralized, algorithmic lending application to be built on the Algorand blockchain. Here’s how it quotes the report issued by Runtime Verification:
“The main objective of this review was to develop a deeper understanding of the business logic of the application and prepare for an upcoming full-blown security audit of the implementation of the protocol as smart contracts written in TEAL. The review involved studying the provided artifacts carefully, and discussing various aspects of the protocol with the Folks.Finance team and making suggestions for improvement as appropriate.”
The outcome was optimal. The reviewer found the protocol very well thought out and the design document well structured and written, proposing suggestions for further refining.
Below are highlighted a couple of points to give the community a brief insight on the review outcome.
The Whitelisting of New Markets has to have both technical and economic requirements. The reviewer has suggested that the protocol’s Whitepaper should outline these technical requirements to build community trust in the protocol. In particular, assets must not have “manager,” “freeze,” or “clawback” addresses set. “Because a malicious “manager”, “freeze” or “clawback” address could freeze assets (so users will not be able to recover collateral) or revoke holdings of the asset to any other address.” An exception is made for assets whose addresses are managed by trusted entities, such as USDC.
Flash Loans have been one of the most sensitive features of the protocol. The Folks Finance team has done extensive research and feasibility studies on this kind of borrow that does not require collateral and must be repaid within one block time. However, the auditor suggested postponing the release of flash loans in protocol-V2. A mature Algorand ecosystem, both in terms of flash loan uses and security, is needed to benefit from the feature.
Folks Finance CEO, Benedetto Biondi, commented as follows:
“I would like to thank the Runtime Verification team for their insightful comments and suggestions that have helped improve the Folks Finance protocol design. It was beneficial and enjoyable to collaborate with them, and we are really enthusiastic about approaching the Smart Contracts audit.”
Runtime Verification COO, Patrick MacKay, commented as follows:
“We thoroughly enjoyed working with the Folks Finance team on this engagement. We are impressed by their commitment to security and assurance, a must, we believe for this and other projects to gain users and adoption across the Algorand ecosystem. We look forward to engaging in the future as they no doubt will move from strength to strength.”
In November, before approaching the protocol launch on Testnet, Runtime Verification will be executing a 4-week code review, part of the 6-week security audit, on Folks Finance’s smart contracts. This part of the engagement will consist of a review of the contracts’ business logic and its implementation in TEAL to identify any potential exploits.