Hyperdrive Security Roadmap Update: Pre-Testnet Audit Reports Are In!

The first set of audit reports are now available! Security is a top priority at DELV and we have dedicated significant resources to our ongoing security efforts. 

Today, we’re excited to share the key findings from the Hyperdrive automated market maker (AMM) protocol audits, along with the complete reports, our open source code, and new upcoming details. 

If you’re not familiar with Hyperdrive, learn more by visiting hyperdrive.delv.tech or reading Introducing the Hyperdrive Protocol: Fixed and Variable Rates, Reimagined.

Security Audits

Hyperdrive’s audit reports provide an in-depth analysis of the AMM. They include findings and actions taken to solve or mitigate the audit-reported issues.

The audits were conducted by ChainSafe, Spearbit, and Certora and are now public! The results are described in detail below within the respective sections of this blog post.

Overall, Hyperdrive has gone through several rounds of audits and formal verification, and we have scheduled one final audit that will continue into public testnet (stay tuned for an update with those results). This is a significant milestone towards safely launching Hyperdrive.

ChainSafe Audit Report (June 2023)

NOTE: This audit was completed as a midway checkpoint halfway through the development of Hyperdrive. 

About The Auditor

ChainSafe is an R&D and infrastructure solutions firm for Web 3.0 with a multi-chain perspective. They are contributors to Ethereum, Polkadot, and Filecoin ecosystems. They also work in product development via their privacy-first file storage solution, ChainSafe Files, their blockchain gaming infrastructure ChainSafe Gaming SDK, and their blockchain bridge ChainBridge.

You can learn more about ChainSafe here.

Summary of Findings

ChainSafe’s audit dated June 2023 discovered 0 critical, 0 major, 1 minor, and 28 informational / optimizational issues in the initial version of the contracts (Commit hash: 9e960c556654225345ddaad1ce81c81871e218d1). All identified issues were fixed or resolved. Please see the details in the table below.

You can read ChainSafe’s full audit report here.

Spearbit Audit (#1) Report (June 2023)

NOTE: This audit was completed as a midway checkpoint halfway through the development of Hyperdrive. 

About The Auditor

Spearbit is a decentralized network of expert security engineers offering reviews and other security related services to Web3 companies with the goal of creating a stronger ecosystem. Their network has experience including but not limited to protocol design, smart contracts and the Solidity compiler. 

You can learn more about Spearbit here.

Summary of Findings

Spearbit’s audit dated June 2023 reviewed the initial version of the contracts (Commit hash: 8a560f413d51d3138c68b8d42311631bd603aea7). This audit occurred in parallel to the ChainSafe audit. Over the course of 15 days in total, the DELV team engaged with Spearbit to review the hyperdrive protocol. In this period of time, a total of 76 issues were found.

Spearbit’s Risk Classification Framework: 

Results:

* Due to this audit being conducted midway through Hyperdrive's development, fixing the larger issues took some time. As such, some issues weren't marked as fixed or resolved in this audit report because they were addressed post-audit (after the two-week fix period). 

The team spent several months addressing the issues raised in the audit report, as well as new Hyperdrive features. All of these changes were the subject of a follow-up Spearbit review in February 2024 (see below).  

You can read Spearbit’s full audit (#1) report here.

Certora Audit and Formal Verification Reports (May-August 2023)

About The Auditor

Certora is an organization that provides unique technology for reviewing and verifying code correctness and security. They work with teams to secure their smart contracts with formal verification tools & smart contract audits.

You can learn more about Certora here.

Summary of Findings

Certora’s Audit and Formal Verification work occurred from May 3 to July 1, 2023, and was finalized in August 2023. 

The Certora Prover demonstrated that the implementation of the Hyperdrive Solidity contracts is correct with respect to the formal rules written by the Certora team. In addition, the team performed a manual audit of all of DELV’s Hyperdrive Solidity contracts. During the verification process and the manual audit, the Certora Prover discovered bugs in the Solidity contracts code.

Certora’s audit report describes the specification and verification of DELV’s new Hyperdrive Protocol using the Certora Prover and manual code review findings. The table below summarizes the issues discovered during the audit, categorized by severity.

*Typo correction of full audit report, which refers to 19 fixes.

You can read Certora’s full audit report here. 

Spearbit Audit (#2) Report (February 2024)

Summary of Findings

Spearbit’s audit dated February 2024 (Commit has: d363f421f8970b5e9ac3649e59cc0ba907f273ea). Over the course of 15 days in total, the DELV team engaged with Spearbit to review the hyperdrive protocol. In this period of time, a total of 72 issues were found.

You can read Spearbit’s full audit report here.

Hyperdrive is now Open Source!

Over the past year, we’ve been focused on the design of the Hyperdrive AMM, which, we believe, introduces key improvements and building blocks that tackle the most critical challenges faced by fixed rate protocols today.

We believe that to go far, we must go together. And it is with this same lens, that we’re delighted to announce that the Hyperdrive Protocol smart contracts are now open source and available to all. We look forward to seeing it evolve through further research and collaboration. 

You can find the Hyperdrive Protocol’s smart contracts here. 

Summary

Our security efforts over the past 9 months have resulted in the discovery of several bugs, including some critical and medium-severity issues. The DELV team has taken actions to evaluate and mitigate these issues, and we look forward to continuing to work with our audit partners as we get closer to the launch of Hyperdrive. 

While no system is perfect, in combination with four audit reports (and one still to come), formal verification, fuzzing, high coverage unit and integration testing, and a planned continuous bug bounty program, we hope that our efforts will help build confidence in the security of Hyperdrive. 

Next Steps

Moving forward, we will continue to pursue rigorous security efforts for the Hyperdrive AMM, and we remain committed to transparently sharing issues should any be identified in the future.

Here’s what you can expect over the next few weeks from us:

• Actively discussing Hyperdrive with the DeFi community.
• Continue Open Sourcing Our Hyperdrive Codebase(s)
• Propose Public Testnet Hyperdrive Implementation to the Element DAO
• Showcase Hyperdrive Docs Portal
• Release Hyperdrive Whitepaper
• Release Hyperdrive Security Roadmap Update #2(Follow up Spearbit Hyperdrive Audit and Bug Bounty Program)

Join us on the Road to Launch Hyperdrive

The upcoming weeks will be full of important announcements! Join the conversation in Discord and Farcaster to learn more, provide feedback, review our code, or just hang out. We want to hear from you!

Stay tuned for more updates and join us as a user, integrator, builder, partner, or supporter as we gear up for testnet launch!

Sincerely,

The DELV Team