v3 Audit and Launch Strategy

With development of v3 complete, the public release is now pending security and peer reviews.

The Canonical Vaults by yAxis are an exciting iteration and contribution to DeFi, and we want to get the launch right from the start. As both a team and DAO, we need to be responsible in our acceptance and handling of users funds.

Let’s lay out the information and steps to consider before launch.

Previous Audits

v1 and v2 were audited by Quantstamp in December and February respectively.

Quantstamp were early supporters of yAxis and we benefitted from an ongoing relationship with them through mutual connections. This allowed us to bypass the usual process and turn audits around very quickly.

We had expected this to repeat and be able to get v3 audited asap. However, it’s clear this option won’t be available to us this time around and we have to queue like everyone else.

Projects can only get in the queue once their code is finished and submitted; they can’t be scheduled in advance.

Audit Landscape

Not all audits are the same. The quality of a security report reflects the engineer analysing the contracts.

Tier 1 firms like “Trail of Bits” or “Sigma Prime” have long since had 6–9+month waits.

But lately, with the expansion of DeFi, and the sheer number of projects exploding (and exploits), the demand for audits is through the roof.

This has lead to every reputable security firm having long waits to the extent they either don’t reply, or have auto-generated messages turning applicants away.

This of course isn’t just affecting yAxis, but every DeFi project trying to release a new product.

Canonical Vaults Audit

v3 is booked in with Haechi Audit for September 28th, and that timeline is only possible as we’ve worked with them before. We’ll continue to book further audits with Tier 1 firms when possible.

Our lead Solidity developer, TransferAndCall is a senior professional in the space, and there are few who can match his standards. Having said that, it’s always possible to miss things, or spot something when looking from the outside in. That’s why audits and peer reviews are still important.

To date, yAxis is one of the only projects in DeFi that hasn’t been exploited.

Next Steps

While the audit is scheduled for late September, there are other options we are considering to bring more peer reviews and assurance for vault users.

1. Guarded Launch — It’s possible to put a cap on the TVL of the vaults, e.g $50m, and allow early participants to enter at their own risk. By capping the TVL, there isn’t a huge target on us. This could run for e.g a month, until the audit is released.
2. Engage White Hats — We have reached out to several known white hats to review the code as part of our ImmuneFi bug bounty. This ensures another set of expert eyes have looked through for any obvious issues.
3. Community Sourced-There are professional communities we can invite to pick apart the code. An example is Code 423n4, more about them below.

Incentives vs Value

An official audit is simply an engineer who reviews the code and writes a report on any issues found. They aren’t liable for exploits, and there is no guarantee they may find anything, even if there.

There is added value as a marketing tool, whereby you have a certificate you can wave at users and investors.

A white hat who looks over your code may be just as thorough from a security perspective, they just won’t have a shiny certificate for you to point to.

In theory, firms have a reputation to protect, however the current demand has nullified any fallout. Projects, as consumers, just don’t have the luxury of choice over auditors.

An audit firm gets paid whether or not they find anything. Whereas a bounty only pays out when something is found.

Worth noting is a recent tweet from Banteg, who highlighted a logic flaw with bug bounties. If someone finds a bug they could simply exploit it, then offer to return the missing funds and by doing so negotiate both immunity, and a finders fee far higher than was publicly on offer.

Code 423n4

Code 423n4 is a relative newcomer to DeFi security. They offer an incentivised bug bounty, where their community of white hat contributors compete to find the first, the most or the riskiest issues in a code base during a week long bug bounty.

The output for us would be a report similar to an audit firm. You can see some example reports here. Next available slot is in the first week of September.

They have served projects like 88mph, Yield, and Maple Finance.

You can also join their Discord to learn more about the community members and bug contests.

Code 423n4

War Room Response

A reminder that yAxis is an early partner to the War Room. This gives us access to a team of professionals who can assist and react during any abnormal events, strengthening our security credentials on a ‘per need’ basis.

Community Feedback

yAxis is a community sourced project, and while the team may be steering the ship — it’s important to us to collect feedback on strategy. We want to hear from the community on these next steps and take your thoughts into consideration for how and when to launch the Canonical Vaults.

To facilitate this, we’ve opened up a Forum thread to provide that structured conversation.

Summary

Whilst an audit is scheduled for September, it’s of course frustrating for everyone involved to sit on a finished product.

yAxis is committed to security and safety of funds. That has to be top priority. We’ve all seen the effects of weak code.

In the meantime, we’d like feedback on the Forum regarding a guarded launch in the near future, alongside the value of white hat peer reviews and the Code423n4 contest as a pre-cursor to a certified audit.