Following the exploit which struck the Revest Protocol on March 27th, 2022, the Revest Team has committed themselves to conforming to the highest security standards available. We've published a post-mortem about the incident and have established this page with the goal of sharing our progress towards overhauling our team and systems in a fully transparent way.

Please note that this page is by no-means exhaustive and will likely be further updated as we receive advice from the security professionals whom we have contacted to assist us in this matter.

Security Fixes on Revest Protocol Contracts

• Deploy hardened version of Revest.sol entry point and strip-out unnecessary surface area

• Unpause token transfers and allow trading to resume

• Deploy additional version of Revest.sol and upgraded version of Staking.sol to restore proper functionality to the Revest staking system

• Upgrade FNFTHandler.sol and re-issue FNFTs to all holders

• Ideate, develop, review, and deploy hardened version of AddressRegistry.sol to facilitate "break-glass" procedures across the Revest Protocol

  • Code ready

  • Audit in progress

  • Code deployed

• Upgrade TokenVault to TokenVaultV2 to sandbox value-storage while providing backwards-compatibility

  • Code ready

  • Audit in progress

  • Code deployed

Smart Contract Security

• Commission Zellic to perform an audit of the Revest Protocol

  • Contracted

  • Audit Scheduled (4/11)

  • Audit Completed

• Commission BlockSec to perform an audit of the Revest Protocol

  • Contracted

  • Audit Scheduled (4/8)

  • Audit Completed

• Coordinate with Solidity Finance on their follow-up audit of the Revest Protocol

  • Commitment made

  • Audit Scheduled (4/30)

  • Audit Completed (estimated: 5/19)

• Coordinate with Immunefi to set up bug bounty

  • Application submitted

  • Draft program in progress

  • Program launched

• Contact Nexus Mutual pursuant to establishing protocol insurance option

  • Initial outreach

  • Informed that Nexus Mutual has 100M MC minimal requirement

• Contacted Insurace persuant to establishing protocol insurance option

  • Update TVL Tracker to Accurately Quantify TVL from LQDR and meet minimum 10M TVL

Organizational Security (DevSecOps)

• Hire industry expert to perform internal audit of team practices and policies. This will involve analysis of internal processes, policies, and development of procedures for the team to implement.

  • Contacted

  • Meeting Scheduled

  • Audit in progress

  • Audit completed

• Force utilization of 2FA where possible

  • GitHub

  • Google

  • DNS provider

  • AWS/CDN providers

  • Gitbook

• Integration of DevSecOps practices into daily workflow

  • Continuous Integration

    • Bevy of unit tests

      • Unit test migration to TypeScript

    • Security checklists

    • Mandator PR reviews (code review)

    • Standardized gamut of tests, coverage reviews

    • Fuzzing

  • Static Analysis (Slither)

  • Regular Pen-testing

    • Documented scheduling

  • Bug bounties

  • Access control best-practices

    • GitHub

• Identify internal weaknesses and document

  • Risk profile analysis

    • Preliminary

    • Final

  • Attack surface area reduction recommendations

• Improve GitHub Workflow Procedures

  • PR required to push to master

  • Code review required

• Improve internal documentation

  • GitHub Procedures

  • GitHub READMEs

  • Internal policy documentation

    • Work underway

  • External documentation

    • Security development checklist

    • Mediums updating on progress

  • Pull-request best-practices

  • Emergency Response Procedures

  • Internal versioning best-practices

  • Break-glass procedures and ease-of-access for all with permissions

    • Documentation and tracking of those with permissions