Security and Audits
Last updated
Last updated
Index Coop products are built on either Index Protocol (a good-faith fork of Set Protocol v2) or Set Protocol v2. The security of both systems is of the utmost importance to the DAO and we recognize the complexity, difficulty, and responsibility of maintaining and evolving a value-bearing protocol. Therefore, Index Coop and Set Labs have made considerable efforts to ensure both systems have been reviewed by top independent security firms and that every line of code is heavily scrutinized.
The following audits for Index Protocol and Set Protocol v2 have been conducted and published by independent security firms:
All issues identified in these reports have been addressed by the Index Coop and/or Set Labs teams. While the audits are a thorough investigation of the code’s integrity, please be advised that these audits do not provide a 100% foolproof guarantee that the contracts are free from vulnerabilities.
The same security assumptions and audit coverage for Set Protocol v2 apply to Index Protocol as no changes have been made to the code for Core Contracts, Modules, or Adapters. Any Core Contracts or Modules added to Index Protocol over time will also be audited by security professionals before deployment and published here. Incremental smart contract development is subject to internal unit, integration, and simulation testing before submission to auditors and/or deployment.
Both Index Coop and Set Protocol maintain bug bounty programs in order to incentivize hackers to make positive-sum contributions to protocol and product security.
Index Coop’s bug bounty program is live on Immunifi, where bug hunters and DeFi researchers can win up to $200,000 for helping strengthen the security of Index Protocol. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System, a simplified 5-level scale that focuses on the impact of the vulnerability reported. You can find full details on the Immunefi - Index Coop page.
All source code for contracts supporting Index Coop products can be found in the following GitHub repositories:
The most current audit reports are also stored in IndexCoop / audits.
Auditor
Coverage
Link
Sherlock
AaveLeverageStrategyExtension, AaveV3LeverageStrategyExtension, BaseManagerV2, Controller, IntegrationRegistry, SetToken, SetTokenCreator, AaveV3LeverageModule, AirdropModule, AmmModule, ClaimModule, DebtIssuanceModule, DebtIssuanceModuleV2, StreamingFeeModule, TradeModule, WrapModuleV2, BasicIssuanceModule, AuctionRebalanceModuleV1, BoundedStepwiseExponentialPriceAdapter, BoundedStepwiseLinearPriceAdapter, BoundedStepwiseLogarithmicPriceAdapter, ConstantPriceAdapter
0x52
CustomOracleNAVIssuanceModule, SetValuer, PriceOracle, PreciseUnitOracle, ERC4626Oracle, RebasingComponentModule, WrapModuleV2, AaveV2WrapV2Adapter, AaveV3WrapV2Adapter, CompoundV3WrapV2Adapter, ERC4626WrapV2Adapter, TargetWeightWrapExtension, SnapshotStakingPool, SignedSnapshotStakingPool, PrtFeeSplitExtension, Prt , DebtIssuanceModuleV3
Code4rena
NotionalTradeModule, NotionalWrappedfCash
OpenZeppelin
BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IOracle, IOracleAdapter, IController, IManagerIssuanceHook
ABDK
BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IModuleBase, IOracle, IOracleAdapter, IController, IDepositor, IManagerIssuanceHook, WrapModule, TradeModule, CompoundLeverageModule, AaveV3LeverageModule, AaveV3LeverageStrategyExtension
(consolidated) PDFs below
Iosiro
GeneralIndexModule, DebtIssuanceModuleV2, AaveLeverageModule, AMMSplitter, BatchTradeExtension, PerpetualV2Module, PerpetualV2BasisTradingModule
(consolidated) PDF below