We are happy to conclude our 2nd auditing by PeckShield, and proud to be highly appraised:
“The current code base is well structured and neatly organized, with considerable security measures implemented. Those identified issues are promptly confirmed and fixed.”
InsurAce.io always puts security as our highest priority, especially when our mission is to safeguard others as an #DeFI insurance protocol. Now our code has been audited by SlowMist and PeckShield, users can rest assured that their assets are in safe hands.
Peckshield concluded their audit on the 12th July 2021, which identified the smart contracts to be “Low Risk”.
The full audit report can be found here: Audit Report.
InsurAce is a decentralized insurance protocol, providing reliable, robust, and carefree DeFi insurance services to DeFi users, with very low premiums and sustainable investment returns.
PeckShield is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystems by offering top-notch, industry-leading services and products (including the service of smart contract auditing).
To standardize the evaluation, we define the following terminology based on the OWASP Risk Rating Methodology:
- Likelihood represents how likely a particular vulnerability is to be uncovered and exploited in the wild;
- Impact measures the technical loss and business damage of a successful attack;
- Severity demonstrates the overall criticality of the risk.
Likelihood and impact are categorized into three ratings: H, M and L, i.e., high, medium and low respectively. Severity is determined by likelihood and impact and can be classified into four categories accordingly, i.e., Critical, High, Medium, Low
To evaluate the risk, PeckShield go through a checklist of items and each would be labeled with a severity category. For one check item, if their tool or analysis does not identify any issue, the contract is considered safe regarding the check item. For any discovered issue, they might further deploy contracts on their private testnet and run tests to confirm the findings. If necessary, they would additionally build a PoC to demonstrate the possibility of exploitation.
In particular, PeckShield perform the audit according to the following procedure:
- Basic Coding Bugs: They first statically analyze given smart contracts with our proprietary static code analyzer for known coding bugs, and then manually verify (reject or confirm) all the issues found by their tool.
- Semantic Consistency Checks: They then manually check the logic of implemented smart contracts and compare with the description in the white paper.
- Advanced DeFi Scrutiny: They further review business logics, examine system operations, and place DeFi-related aspects under scrutiny to uncover possible pitfalls and/or bugs.
- Additional Recommendations: They also provide additional suggestions regarding the coding and development of smart contracts from the perspective of proven programming practices.
To better describe each issue PeckShield identified, they categorize the findings with Common Weakness Enumeration (CWE-699), which is a community-developed list of software weakness types to better delineate and organize weaknesses around concepts frequently encountered in software development. Though some categories used in CWE-699 may not be relevant in smart contracts, they use the CWE categories to classify their findings. Moreover, in case there is an issue that may affect an active protocol that has been deployed, the public version of this report may omit such issue, but will be amended with full details right after the affected protocol is upgraded with respective fixes.
“In this audit, we have analyzed the design and implementation of the InsurAce protocol. The system presents a unique, robust offering as a leading non-custodial, multi-chain decentralized insurance protocol, providing reliable, robust and secure insurance services to DeFi users and allowing them to secure their investment funds against various risks. The current code base is well structured and neatly organized, with considerable security measures implemented. Those identified issues are promptly confirmed and fixed. Moreover, we need to emphasize that Solidity-based smart contracts as a whole are still in an early, but exciting stage of development. To improve this report, we greatly appreciate any constructive feedback or suggestions, on our methodology, audit findings, or potential gaps in scope/coverage.”