# Security Checklist

Following the exploit which struck the Revest Protocol on March 27th, 2022, the Revest Team has committed themselves to conforming to the highest security standards available. We've published a [post-mortem about the incident](https://revestfinance.medium.com/revest-protocol-exploit-recovery-plan-b06ca33fbdf5) and have established this page with the goal of sharing our progress towards overhauling our team and systems in a fully transparent way.&#x20;

Please note that this page is by no-means exhaustive and will likely be further updated as we receive advice from the security professionals whom we have contacted to assist us in this matter.&#x20;

### Security Fixes on Revest Protocol Contracts

* [x] Deploy [hardened version of Revest.sol](https://etherscan.io/address/0x36c2732f1b2ed69cf17133ab01f2876b614a2f27#code) entry point and strip-out unnecessary surface area
* [x] Unpause token transfers and allow trading to resume
* [x] Deploy additional version of Revest.sol and upgraded version of Staking.sol to restore proper functionality to the Revest staking system
* [x] Upgrade FNFTHandler.sol and re-issue FNFTs to all holders
* [x] Ideate, develop, review, and deploy hardened version of AddressRegistry.sol to facilitate "break-glass" procedures across the Revest Protocol
  * [x] Code ready
  * [x] Audit in progress
  * [x] Code deployed
* [x] Upgrade TokenVault to [TokenVaultV2](https://revestfinance.medium.com/revest-finance-innovates-with-strongest-security-in-defi-3d46d5c49a2) to sandbox value-storage while providing backwards-compatibility&#x20;
  * [x] Code ready
  * [x] Audit in progress
  * [x] Code deployed

### Smart Contract Security

* [x] Commission [Zellic](https://zellic.io/) to perform an audit of the Revest Protocol&#x20;
  * [x] Contracted
  * [x] Audit Scheduled (4/11)
  * [x] Audit Completed
* [x] Commission [BlockSec](https://www.blocksecteam.com/) to perform an audit of the Revest Protocol
  * [x] Contracted
  * [x] Audit Scheduled (4/8)
  * [x] Audit Completed
* [x] Coordinate with Solidity Finance on their follow-up audit of the Revest Protocol
  * [x] Commitment made
  * [x] Audit Scheduled (4/30)
  * [x] Audit Completed (estimated: 5/19)
* [x] Coordinate with [Immunefi](https://immunefi.com/) to set up bug bounty
  * [x] Application submitted
  * [x] Draft program in progress
  * [x] Program launched
* [x] Contact [Nexus Mutual](https://nexusmutual.io/) pursuant to establishing protocol insurance option
  * [x] Initial outreach
  * [x] Informed that Nexus Mutual has 100M MC minimal requirement&#x20;
* [x] Contacted Insurace persuant to establishing protocol insurance option
  * [x] Update TVL Tracker to Accurately Quantify TVL from LQDR and meet minimum 10M TVL

### Organizational Security (DevSecOps)

* [x] Hire industry expert to perform internal audit of team practices and policies. This will involve analysis of internal processes, policies, and development of procedures for the team to implement.
  * [x] Contacted&#x20;
  * [x] Meeting Scheduled
  * [x] Audit in progress
  * [x] Audit completed
* [x] Force utilization of 2FA where possible
  * [x] GitHub
  * [x] Google
  * [x] DNS provider
  * [x] AWS/CDN providers
  * [x] Gitbook
* [ ] Integration of DevSecOps practices into daily workflow
  * [ ] Continuous Integration
    * [x] Bevy of unit tests
      * [x] Unit test migration to TypeScript
    * [ ] Security checklists
    * [x] Mandator PR reviews (code review)
    * [ ] Standardized gamut of tests, coverage reviews
    * [x] Fuzzing
  * [x] Static Analysis (Slither)
  * [ ] Regular Pen-testing
    * [ ] Documented scheduling
  * [x] Bug bounties
  * [x] Access control best-practices
    * [x] GitHub
* [x] Identify internal weaknesses and document
  * [x] Risk profile analysis&#x20;
    * [x] Preliminary
    * [x] Final
  * [x] Attack surface area reduction recommendations
* [x] Improve GitHub Workflow Procedures
  * [x] PR required to push to master
  * [x] Code review required
* [ ] Improve internal documentation
  * [x] GitHub Procedures
  * [ ] GitHub READMEs
  * [x] Internal policy documentation
    * [x] Work underway
  * [x] External documentation&#x20;
    * [x] Security development checklist
    * [x] Mediums updating on progress
  * [x] Pull-request best-practices
  * [x] Emergency Response Procedures
  * [x] Internal versioning best-practices
  * [x] Break-glass procedures and ease-of-access for all with permissions
    * [x] Documentation and tracking of those with permissions


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.revest.finance/resources/security-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.