Security Checklist
Following the exploit which struck the Revest Protocol on March 27th, 2022, the Revest Team has committed themselves to conforming to the highest security standards available. We've published a post-mortem about the incident and have established this page with the goal of sharing our progress towards overhauling our team and systems in a fully transparent way.
Please note that this page is by no-means exhaustive and will likely be further updated as we receive advice from the security professionals whom we have contacted to assist us in this matter.
Security Fixes on Revest Protocol Contracts
Upgrade TokenVault to TokenVaultV2 to sandbox value-storage while providing backwards-compatibility
Code ready
Audit in progress
Code deployed
Smart Contract Security
Commission Zellic to perform an audit of the Revest Protocol
Contracted
Audit Scheduled (4/11)
Audit Completed
Commission BlockSec to perform an audit of the Revest Protocol
Contracted
Audit Scheduled (4/8)
Audit Completed
Coordinate with Solidity Finance on their follow-up audit of the Revest Protocol
Commitment made
Audit Scheduled (4/30)
Audit Completed (estimated: 5/19)
Coordinate with Immunefi to set up bug bounty
Application submitted
Draft program in progress
Program launched
Contact Nexus Mutual pursuant to establishing protocol insurance option
Initial outreach
Informed that Nexus Mutual has 100M MC minimal requirement
Contacted Insurace persuant to establishing protocol insurance option
Update TVL Tracker to Accurately Quantify TVL from LQDR and meet minimum 10M TVL
Organizational Security (DevSecOps)
Hire industry expert to perform internal audit of team practices and policies. This will involve analysis of internal processes, policies, and development of procedures for the team to implement.
Contacted
Meeting Scheduled
Audit in progress
Audit completed
Force utilization of 2FA where possible
GitHub
Google
DNS provider
AWS/CDN providers
Gitbook
Integration of DevSecOps practices into daily workflow
Continuous Integration
Bevy of unit tests
Unit test migration to TypeScript
Security checklists
Mandator PR reviews (code review)
Standardized gamut of tests, coverage reviews
Fuzzing
Static Analysis (Slither)
Regular Pen-testing
Documented scheduling
Bug bounties
Access control best-practices
GitHub
Identify internal weaknesses and document
Risk profile analysis
Preliminary
Final
Attack surface area reduction recommendations
Improve GitHub Workflow Procedures
PR required to push to master
Code review required
Improve internal documentation
GitHub Procedures
GitHub READMEs
Internal policy documentation
Work underway
External documentation
Security development checklist
Mediums updating on progress
Pull-request best-practices
Emergency Response Procedures
Internal versioning best-practices
Break-glass procedures and ease-of-access for all with permissions
Documentation and tracking of those with permissions
Last updated