Index Coop products are built on either Set Protocol v2 or Index Protocol (a good-faith fork of Set Protocol v2). The security of both systems is of the utmost importance to the DAO and we recognize the complexity, difficulty, and responsibility of maintaining and evolving a value-bearing protocol. Therefore, Set Labs and Index Coop have made considerable efforts to ensure both systems have been reviewed by top independent security firms and that every line of code is heavily scrutinized.
The following audits for Set Protocol v2 and Index Protocol have been conducted and published by independent security firms:
BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IOracle, IOracleAdapter, IController, IManagerIssuanceHook
BasicIssuanceModule, PriceOracle, InvokeLib, Controller, SetToken, StreamingFeeModule, IntegrationRegistry, PositionLib, PreciseUnitMath, AddressArrayUtils, SetTokenCreator, ISetToken, ExplicitERC20, ModuleBase, IModuleBase, IOracle, IOracleAdapter, IController, IDepositor, IManagerIssuanceHook, WrapModule, TradeModule, CompoundLeverageModule
(consolidated) PDF below
GeneralIndexModule, DebtIssuanceModuleV2, AaveLeverageModule, AMMSplitter, BatchTradeExtension, PerpetualV2Module, PerpetualV2BasisTradingModule
(consolidated) PDF below
ABDK Set Protocol v2 Audits.pdf
Iosiro Set Protocol v2 Audits.pdf
All issues identified in these reports have been addressed by the Set Labs and/or the Index Coop teams. While the audits are a thorough investigation of the code’s integrity, please be advised that these audits do not provide a 100% foolproof guarantee that the contracts are free from vulnerabilities.
The same security assumptions and audit coverage for Set Protocol v2 apply to Index Protocol as no changes have been made to the code for Core Contracts, Modules, or Adapters. Any Core Contracts or Modules added to Index Protocol over time will also be audited by security professionals before deployment and published here. Incremental smart contract development is subject to internal unit, integration, and simulation testing before submission to auditors and/or deployment.
Both Index Coop and Set Protocol maintain bug bounty programs in order to incentivize hackers to make positive-sum contributions to protocol and product security.
Index Coop’s bug bounty program is live on Immunifi, where bug hunters and DeFi researchers can win up to $200,000 for helping strengthen the security of Index Protocol. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System, a simplified 5-level scale that focuses on the impact of the vulnerability reported. You can find full details on the Immunefi - Index Coop page.
The Set Protocol bug bounty program runs continuously and pays up to $50,000 for critical exploits. More details concerning scope, program rules, and compensation can be found in the official Set Documentation.
All source code for contracts supporting Index Coop products can be found in the following GitHub repositories: