Posted on February 23, 2022 by Silvia Barredo
Posted in Audits
Runtime Verification is thrilled to announce Folks Finance's audit completion. Folks Finance is a decentralized capital market protocol built on the Algorand blockchain offering lending, borrowing, liquidity provision and staking programs.
Folks Finance's audit consisted of a design review followed by a best-effort code review. Conducting a design review prior to the code review helps in building a deeper understanding of how the protocol works and identifying any high-level protocol design issues early in the auditing process.
The scope of the design review was limited to the whitepaper and covered the protocol overview, the economic model and the protocol’s technical design. The Folks team also granted us access to an early version of the smart contracts that were available at the time to help us understand how the technical design would be implemented.
The code review audit scope was limited to a set of fundamental contracts written in PyTeal implementing depositing funds, earning interest, borrowing against collateral, paying accrued interest, repaying borrowed amounts and liquidating under-collateralized loans. Oracle contracts that provide essential price feeds to the protocol and the library functions the contracts use to calculate various quantities in the protocol, such as the borrow balance and a loan's health factor, were also reviewed. A detailed list of the audited contracts can be found in the report. The code review audit also covered an updated version of the application design documents to check if any changes made after the design review broke the business logic.
The liquidity approval and staking programs, together with any other contracts not mentioned in the report, were not part of the scope and were not audited.
First, the design review audit on Folks Finance's Protocol was carried out for a period of two weeks, followed by the best-effort code review audit on the lending and borrowing smart contracts for a period of four weeks. Two independent reports were produced for the engagements; the design review report was published on September 27th, 2021, while the code review audit report was published on February 1st, 2022.
The design review audit was conducted in close collaboration with the Folks Finance team. The whitepaper was studied carefully to discuss any possible improvements that could be applied to the protocol.
The best-effort code audit combined a manual code review together with the modeling of the PyTeal implementation of the contracts in scope to identify any discrepancies in the design and potential code issues.
First, a specification in a Python-like language was derived from the largest contract in scope to better understand the implementation and how it behaved. Once the specification was ready, the PyTeal code was manually reviewed against the design and the specifications to identify any scenarios where the code didn't behave as expected and introduced possible exploits. Some of the checks conducted included checking values of transaction fields, and manual reasoning of invariants, potential arithmetic problems and rounding errors.
The audit identified and highlighted some issues along with a number of informative findings. The Folks Finance team addressed all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contracts, and these changes were also reviewed. Despite the complexity of the protocol, the implementation was well structured and documented and the code was of very high quality.
Folks Finance is the leading algorithmic capital markets protocol for lending and borrowing built and operated on top of the Algorand blockchain. Through the lending operations, Folks users can deposit liquidity and start earning a continuous economic return instantly. Through the borrowing operation, the users can request crypto loans by locking deposited funds as collateral. Folks Finance is the result of extensive research and engineering conducted by Blockchain Italia, a blockchain software house strongly focused on Algorand. The protocol innovations include a disruptive economic lending model designed for the soundness and security of the users, and the introduction of unique features such as staking of rewards, safety margins for cryptocurrency pairs, and an innovative liquidity provision system.
Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.