Security Practices

The Flat Money team’s security practices include fuzzing, unit testing, and routine peer reviews of the codebase. External measures include professional security reviews, contests, and pre/post-deployment bounties.

The protocol has in-built invariant checks on every user order execution. These checks ensure the integrity and accounting within the overall system at all times.

At launch, the Flat Money protocol will be audited with a bug bounty program in place, which will be managed through Immunefi. After Flat Money launches, measures will be taken to implement circuit breakers in the Flat Money smart contracts; any new features will undergo security reviews before they are put into production.

For more details, see the sections below.

Smart Contract Audit

The Flat Money team is working with Sherlock to audit the protocol’s codebase in January 2023.

Sherlock is an incentive-aligned auditing protocol that provides a hybrid audit, which combines the benefits of a legacy audit and an audit competition. The end result is more experienced eyes on the Flat Money codebase.

After Sherlock completes the Flat Money audit, the Flat Money team will purchase bug bounty coverage to incentivize responsible disclosures and provide protection in the event an exploit were to occur.

Bug Bounty Program

Flat Money will be working with Immunefi to set up and manage a bug bounty program. On Immunefi, ethical hackers secure DeFi contracts, save funds from theft, and get paid for responsibly disclosing vulnerabilities.

Through this bug bounty program, whitehat hackers are incentivized to responsibly disclose vulnerabilities in Flat Money’s smart contracts in exchange for payouts equal to the level of severity.

When the bug bounty program is live, we’ll share the link to the bug bounty program page here.

Exposure to Third Party Infrastructure

The Flat Money protocol is designed to have no exposure to third-party protocols and limited exposure to outside infrastructure.

The protocol does use Pyth Network for the protocol’s primary oracle infrastructure to accurately price rETH and avoid user frontrunning of the oracle. There is also oracle redundancy in place with a Chainlink price feed as a final price sanity check to increase the security of Flat Money’s oracle infrastructure.

The only asset used within the Flat Money protocol is Rocket Pool ETH (rETH). No other crypto assets are used within the protocol.