Security and Audits

Index Coop products are built on either Set Protocol v2 or Index Protocol (a good-faith fork of Set Protocol v2). The security of both systems is of the utmost importance to the DAO and we recognize the complexity, difficulty, and responsibility of maintaining and evolving a value-bearing protocol. Therefore, Set Labs and Index Coop have made considerable efforts to ensure both systems have been reviewed by top independent security firms and that every line of code is heavily scrutinized.

Audits

The following audits for Set Protocol v2 and Index Protocol have been conducted and published by independent security firms:

Auditor

Coverage

Link

Sherlock

AaveLeverageStrategyExtension, AaveV3LeverageStrategyExtension, BaseManagerV2, Controller, IntegrationRegistry, SetToken, SetTokenCreator, AaveV3LeverageModule, AirdropModule, AmmModule, ClaimModule, DebtIssuanceModule, DebtIssuanceModuleV2, StreamingFeeModule, TradeModule, WrapModuleV2, BasicIssuanceModule, AuctionRebalanceModuleV1, BoundedStepwiseExponentialPriceAdapter, BoundedStepwiseLinearPriceAdapter, BoundedStepwiseLogarithmicPriceAdapter, ConstantPriceAdapter

Index Protocol Index Update

OpenZeppelin

BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IOracle, IOracleAdapter, IController, IManagerIssuanceHook

Set Protocol v2 Audit - OpenZeppelin Security

ABDK

BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IModuleBase, IOracle, IOracleAdapter, IController, IDepositor, IManagerIssuanceHook, WrapModule, TradeModule, CompoundLeverageModule, AaveV3LeverageModule,AaveV3LeverageStrategyExtension

(consolidated) PDFs below

Iosiro

GeneralIndexModule, DebtIssuanceModuleV2, AaveLeverageModule, AMMSplitter, BatchTradeExtension, PerpetualV2Module, PerpetualV2BasisTradingModule

(consolidated) PDF below

Code4rena

NotionalTradeModule, NotionalWrappedfCash

Notional x Index Coop Findings & Analysis Report - Code4rena

All issues identified in these reports have been addressed by the Index Coop and/or Set Labs teams. While the audits are a thorough investigation of the code’s integrity, please be advised that these audits do not provide a 100% foolproof guarantee that the contracts are free from vulnerabilities.

The same security assumptions and audit coverage for Set Protocol v2 apply to Index Protocol as no changes have been made to the code for Core Contracts, Modules, or Adapters. Any Core Contracts or Modules added to Index Protocol over time will also be audited by security professionals before deployment and published here. Incremental smart contract development is subject to internal unit, integration, and simulation testing before submission to auditors and/or deployment.

Bug Bounty

Both Index Coop and Set Protocol maintain bug bounty programs in order to incentivize hackers to make positive-sum contributions to protocol and product security.

Index Coop’s bug bounty program is live on Immunifi, where bug hunters and DeFi researchers can win up to $200,000 for helping strengthen the security of Index Protocol. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System, a simplified 5-level scale that focuses on the impact of the vulnerability reported. You can find full details on the Immunefi - Index Coop page.

GitHub

All source code for contracts supporting Index Coop products can be found in the following GitHub repositories:

PreviousSet Protocol v2NextContract Verification

Last updated