Security Audit for ReserveLending+ (Update)
Since 2012, Trail of Bits has helped secure some of the world’s most targeted organizations and products.
Trail of Bits, a leading smart contract auditor and software assurance provider, has provided findings from its audit of unFederalReserve’s latest product, ReserveLending+ (currently, available for demo or test for U.S.-based companies holding crypto. Sign up here: https://unfed.info/RLplus)
Please find a status update and special announcement below.
Special Announcement: ReserveLending Supply/Borrow For all Tokens To Be Suspended in June
While the audit was focused on the ReserveLending+ product, the codebase for the RL+ product is the extant ReserveLending platform. Given the auditor’s findings, increased regulatory scrutiny around DeFI, P2P platform compliance uncertainty (including, broader stablecoin issues), permission-less access, commentary from our attorneys and our focus on institutional, commercial banking technology applications, we have had many internal discussions around how to support the retail, ReserveLending platform going forward.
While we work to address all of those issues for the retail platform, we will disable supplying and borrowing on the remaining ReserveLending token pairs. Disabling will occur in June.
Even though new supplying and borrowing will be disabled, users will still be able to payback their loans, un-supply assets (provided their assets have not been lent out), and, generally, interact with the platform with no changes in user experience. Your funds are safe, and this change is merely an attempt to raise the quality of the platform in advance of expected regulation and with respect to the audit findings.
What is ReserveLending+?
ReserveLending+ is an institutional DeFi (decentralized finance) ecosystem and P2P (peer-to-peer) lending platform that empowers companies to optimize their net cost of capital on-chain. Excess Bitcoin, Ethereum or USDC can earn interest at greater savings rates than offered by traditional banks and loans can be drawn at competitive rates for qualified borrowers.
The platform is without intermediary; allowing qualified participant entities to supply their WBTC, ETH or USDC in a non-custodial framework, until a peer borrower is identified and its loan funded.
Who are Trail of Bits?
The following verbiage is from ToB’s unFederalReserves’ Security Assessment presentation with the perspective changed to improve readability.
Founded in 2012 and headquartered in New York, Trail of Bits provides technical security assessment and advisory services to some of the world’s most targeted organizations. They combine high- end security research with a real -world attacker mentality to reduce risk and fortify code. With 80+ employees around the globe, they’ve helped secure critical software elements that support billions of end users, including Kubernetes and the Linux kernel.
ToB maintains an exhaustive list of publications at https://github.com/trailofbits/publications , with links to papers, presentations, public audit reports, and podcast appearances.
In recent years, Trail of Bits consultants have showcased cutting-edge research through presentations at CanSecWest, HCSS, Devcon, Empire Hacking, GrrCon, LangSec, NorthSec, the O’Reilly Security Conference, PyCon, REcon, Security BSides, and SummerCon.
Trail of Bit’s specializes in software testing and code review projects, supporting client organizations in the technology, defense, and finance industries, as well as government entities. Notable clients include HashiCorp, Google, Microsoft, Western Digital, and Zoom.
Trail of Bits also operates a center of excellence with regard to blockchain security. Notable projects include audits of Algorand, Bitcoin SV, Chainlink, Compound, Ethereum 2.0, MakerDAO, Matic, Uniswap, Web3, and Zcash.
Trail of Bits Security Review Methodology Overview
The following verbiage is from ToB’s citation guide with the perspective changed to improve readability.
ToB’s evaluations allow its clients to make informed decisions about risk to their systems, and what security-relevant modifications may be necessary for a secure deployment.
Using Trail of Bit’s custom tools and unique expertise with static analysis, fuzzing, and concolic testing, it serves as a knowledgeable, dedicated adversary to identify the vulnerabilities that otherwise go undetected.
ToB’s assessments provide an estimate of overall security posture, and the difficulty of compromise from an external attacker. They identify design-level risks and implementation flaws that illustrate systemic risks. At the conclusion of every assessment, ToB provides recommendations on best practices that could improve resistance to attack, and educate in-house security teams on common and novel security flaws and testing techniques.
At the end of every assessment, Trail of Bits provides a final report with an analysis of the system’s overall security risk based on the findings. They encourage their clients to publicly share assessment results and often aid in reviewing blog posts or whitepapers for publication.
Summary of Findings
For the purposes of project security, we will not disclose the nature of the notable, specific findings from the audit. Suffice to say that unFederalReserve was provided a list of six (6) items to address, of which one (1) was indicated as having a high severity.
A high severity finding is one whereby the flaw, “… could affect numerous users and have serious reputational, legal or financial implications.” The finding in question came with a High difficulty rating; meaning according to the report that, “An attacker must have privileged access to the system, may need to know complex technical details, or must discover other weaknesses to exploit this issue.”
Thankfully, the fix to address this potential flaw is readily available, and the development team is putting a plan in place to address this and the other less severe findings.
Once we’ve addressed their findings, we will submit our fixes for consideration and seek to close out an audit without any significant or potential high risk issues remaining.
Trail of Bits also conducts a codebase maturity evaluation, which in its own words: “… uses a traffic-light protocol to provide each client with a clear understanding of the areas in which its codebase is mature, immature, or underdeveloped. Deficiencies identified here often stem from root causes within the software development life cycle that should be addressed through standardization measures (e.g., the use of common libraries, functions, or frameworks) or training and awareness programs.”
Trail of Bits concluded the maturity level of ReserveLending+ to be “immature”, which is not uncommon for projects of our scale and age. While these are not critical items to address, we will work to further develop the maturity of the documentation and processes to evolve towards a “mature” status.
Safety is a core operating principle, and we are glad to be spending the time and resources required to make sure our software is as robust as any commercial grade protocol out there. We feel safety, compliance and well-documented policies and procedures reduce the overall risk to any digital asset project, and encourage our peers reading this report to reach out to Trail of Bits and schedule an audit with them today. The whole industry should be encouraging these repeated CTAs (calls-to-act) as we have seen how a few exploited, unaudited or lightly audited, protocols can have a determinantal impact on the industry as a whole.
We are proud of the unFederalReserve development team, testers, QA professionals and everyone else that contributed to the production of such a safe and secure bank-ready product, ReserveLending+.
Although the material contained in this website was prepared based on information from public and private sources that Residual Token, Inc. d/b/a unFederalReserve believes to be reliable, no representation, warranty or undertaking, stated or implied, is given as to the accuracy of the information contained herein, and Residual Token, Inc. expressly disclaims any liability for the accuracy and completeness of information contained in this or any article.
This article, our website, social media posts and other public forum materials are distributed for general informational and educational purposes only and is not intended to constitute legal, tax, accounting, or investment advice. The information, opinions and views contained herein have not been tailored to the objectives of any one individual, are current only as of the date hereof and may be subject to change at any time without prior notice. Residual Token, Inc. does not have any obligation to provide revised opinions in the event of changed circumstances.
All investment strategies and investments involve risk of loss. Nothing contained in this website should be construed as investment advice. Any reference to an investment’s past or potential performance is not, and should not be construed as, a recommendation or as a guarantee of any specific outcome or profit.
Any ideas or strategies discussed herein should not be undertaken by any individual without prior consultation with a finance, tax or legal professional for the purpose of assessing whether the ideas or strategies that are discussed are suitable to you based on your own personal objectives, needs and risk tolerance. Residual Token, Inc. expressly disclaims any liability or loss incurred by any person who acts on the information, ideas or strategies discussed herein.