Bug Bounty and Audits

Security at Curvance

The Curvance protocol is engineered with security as its number one priority. In this space, where people transact valuable assets, safety is crucial, especially in the case of Curvance, which deals with sophisticated and complex assets.

DeFi can be intimidating; in 2023 alone, close to $2 billion has been exploited through smart contract vulnerabilities. The industry is prone to various attack vectors, and Curvance has worked extremely hard to minimize these risks.

During the creation of the platform, Curvance maintained a strict policy on code review, testing, and security by working with reputable auditors and security experts.

Bug Bounty

Scope: Issues that could result in significant financial loss, critical bugs such as broken liveness conditions, or any flaw that could cause irreversible loss of funds.

Eligibility:

• You must be the first to report the vulnerability.

• If an action has been taken you must be able to verify a signature from the same address.

• You must provide sufficient information for us to reproduce and understand the issue.

Disclosure policy: Please report potential security issues to us as soon as possible after discovery. Allow a reasonable period for us to investigate and address the issue before making any public or third-party disclosures.

Exclusions:

• Vulnerabilities already known to the team.

• Issues related to "drunk admin" behavior.

• Front-end issues that do not lead to smart contract vulnerabilities.

• The smart contract must be deployed and currently in use.

Bug Bounty Payout

Audits

Several audits have been made public in the Curvance Public Github Repository.

Auditors

To ensure the highest level of security, Curvance has partnered with several of the leading Web3 security firms and organizations. Each brings their own merit and strengths to the table.

TrustSec (link)

TrustSec serves as the primary security partner, addressing concerns related to potential bugs, exploit vulnerabilities, and overall functionality. They have significantly contributed to the majority of hours invested in code auditing over the past five months. Auditors include Trust, Zach Obront, MiloTruck, and Bernd.

Trail of Bits (link)

Trail of Bits played an important role in creating a highly sophisticated test suite for the complex and extensive code base for the cross-chain money market. ToB helped employ stateful fuzzing and systematically tested code through various actions and states.

Sherlock (link)

Sherlock conducted an independent audit focused on Curvance’s mainnet-specific implementations. Their review covered MEV architecture, transaction ordering, and a comprehensive assessment of mainnet smart contracts prior to deployment.

yAudit (link)

From the yAcademy hosted by Yearn Finance, it spawned yAudit, a team of Web3 hackers and engineers. The team assisted in test expansion and helped with nuanced intricacies, such as external integrations through 4626 vaults.

Public Audit

A public audit has been conducted through Cantina, a groundbreaking marketplace for web3 security. The platform aims to simplify audits and provide tailored experiences with varied pricing.

Cantina connects organizations with security needs to expert auditors (teams and individuals) through Guilds, emphasizing accessibility and credibility. The platform ensures transparency, addressing the challenges faced by solo auditors and smaller audit teams.

Curvance strategically chose Cantina for its audit, recognizing the valuable advantages offered by Cantina's broad audit community and its connection to Spearbit DAO. By tapping into this diverse pool of auditors, Curvance ensures a thorough evaluation of its security protocols, benefitting from varied expertise and specialized knowledge.

This approach aligns with Curvance's commitment to a comprehensive security assessment, leveraging the efficiency and timeliness inherent in a larger audit community.