Scope: New Cover Policy Activation
Authors: Jas Singh, Sujith Sizon, Vithuran K.
WeFi is a decentralized money market protocol that opens up investment loan options in DeFi for global users to invest in digital assets via multi-pool borrowing.
A successful audit has been completed for WeFi. The activation for the WeFi policy will commence shortly after passing the proposal. The UnoWatchDog program gives the opportunity for protocols to get a smart contract audit and get protocol wide coverage for all of its active users at no additional charge for either the protocol or the users. This means users will no longer be required to individually purchase, renew, and file claims for insurance. You can read more about the protocol in the full documentation on their site at docs.wefi.xyz
Start Date: August 31st 2023
End Date: August 31st 2024
Type of Coverage: SCV
TVL Coverage Amount: $200,000 USD
Individual Cover Limit: $5000 USD
Individual Deductible: $100 USD
Chain: Ethereum, Arbitrum, BSC, Polygon, Polygon zkEVM (TBD), ZkSync (TBD)
Claims: SSIP pool assets (USDC, USDT, UNO, ETH), Nexus Quota Share (NXM)
Tokens used: WBTC, WETH, USDC, USDT, WMATIC, LINK, AAVE, UNI, QUICK
WeFi contracts have gone through an extensive audit by our security team and partners. We will continue to audit new additions to code for the remainder of the insurance policy term (12 months) free of charge as long as the number of SLOC changes fall within the quota. Should the insurance policy be extended, continued audits will also extend.
Precommit hash: 268cec6acdade1da4f0911d125760f2195d8df12
The following contracts below are considered within scope of the audit:
Last Review commit hash WeFi – 70842cd2b30df121f496963bedfbd52a497542a8
Please find the IPFS link to the WeFi Audit here: https://gateway.pinata.cloud/ipfs/QmRid8oxiEoFhtuS6NqPXa4Eoq6pZ4oH6PWQ1MrhnpPkDF
Active Monitoring and Real time tracking:
We have set up our suite of active monitoring and real time tracking toolkit to proactively maintain a steady check on the protocol’s health and notify the Auditors on UnoRe’s discord server immediately as soon as any malicious on unintended activities happen on chain. We have listed below the key areas of tracking and monitoring that we have setup for WeFi protocol.
a. setPriceFeed (function)
b. new PendingImplementation (event)
c. NewImplementation (event)
a. NewBorrowCap (event)
b. NewPriceOracle (event)
c. CompBorrowSpeedUpdated (event)
d. CompSupplySpeedUpdated (event)
d. NewMarketInterestRateModel (event)
e. Mint (function)
f. ProxyMint (function)
Even though WeFi has passed a thorough audit review, it can still be prone to attacks that have never been documented before. Monitoring the contracts is an additional step we take to help prevent hacks in edge case scenarios where the hacker is still able to steal assets.
Service Fees for UnoRe DAO services are as follows:
Date: August 2023
- Audit cost split among auditors: $14,000 USDT
- Insurance premiums (Semi-Annual payment terms): $1,500 USDT, $1,500 USD worth of $WEFI paid every 6 months.
A special thank you to our Independent Auditors chrisdior4, ddimitrov22 and curiousapple.
In the rare event an UnoWatchDog client is hacked and funds are non-recoverable, UnoRe will cover losses for each user up to the total coverage amount and up to the set individual claim limit, less the individual deductible shown above. The insurance policy follows the same exclusions and conditions in our original smart contract cover wording found in our Gitbook. Additional terms apply if coverage is supplied by Nexus Mutual Quota Share. The loss must fall under both the Nexus Mutual and UnoRe smart contract cover wording to be eligible for claims.
UnoWatchDog clients will continually have new code audited, however if an exploit is due to any of the following reasons, the policy will be invalidated:
• A contract upgrade that Uno Re did not approve/audit
• WeFi did not notify Uno Re prior to deploying changes
• WeFi did not notify Uno Re prior to deploying contracts on networks other than Polygon.
• WeFi did not allow for enough time for the code to be approved by both Uno Re and the Olympus Council.
A two week window will be given for additional code to be reviewed by the Auditors and Uno Re prior to being deployed. The policy will resume as intended after both the Auditors and Uno Re have approved any changes. Unlike the insurance policies listed in our cover portal, users will not be required to take any further action to be covered. Users will automatically be covered if a loss were to occurred, and will not be required to file a claim to be processed.
Uno Re will be running an active Zero-day reporting and bug bounty program where security researchers and whitehats who find Critical and High issues with the protocol can make submissions for a reward. Zero Day is a monitoring program initiated once the audit phase is over. The researchers submit zero-day and other exploits, ensuring a continuous vulnerability assessment process.
Scope and rewards.
The program’s scope remains the same as the audit. We would then categorize the vulnerability into critical, high, and medium. These reports would be based on exploits that could lead to
- Direct Fund loss
- Permanent freezing of user’s stakes
- Theft of unclaimed rewards
- Preventing users from claiming due rewards
Disclaimer: UNO DAO would decide the payout for these vulnerabilities. The amount for the payout would be proportional to the severity and nature of the exploit.
Conclusion and next steps:
The internal audit of WeFi was successful, and our active monitoring systems are live. The insurance policy will also go live by the end of the week, and will not expire until the end of July 2024. The renewal of the policy at the end of its term is subject to approval by the UnoRe DAO at a future date. After this proposal passes, WeFi will be added to our list of UnoWatchDog clients.
Disclaimer: The Watch Dog program does not have any influence on any projects token price. A Watch Dog client does not mean we endorse the projects token or coin. UnoRe does not give out financial advice and can neither confirm or deny whether the token in question is a good investment.