Smart Contract Security

Smart contracts are subject to flaws, coding errors, unintended behavior, and inefficiencies. Once deployed in the blockchain, smart contracts are immutable (cannot change). At Saddle, we take the security of the smart contract seriously.

We conduct our own internal security audit of the smart contract code we’ve written. As a further check, to make sure Saddle’s code is proper and working as intended, we hire well reputed external agencies to audit our smart contract codes.

As for now, we have passed security auditing on all Saddle smart contracts, from the following auditors, with no issues.

Disclaimer: Security audits don’t eliminate all risks. Using Saddle as an exchange for a user should be significantly less risky, but please bear in mind there are still risks. Refer to the risks section for more details.

Certik Audit Report

Founded in 2018 by professors at Yale University and Columbia University, CertiK is a pioneer in blockchain security, using best-in-class AI technology to secure and monitor blockchain protocols and smart contracts. CertiK’s mission is to secure the cyber world. Starting with blockchain, CertiK applies innovations from academia into enterprise, enabling mission-critical applications to be built with security and correctness.

CERTIX AUDIT REPORT FOR SADDLE PROTOCOL - 29 OCT 2020

Quantstamp Audit Report

Quantstamp is the leader in blockchain security, having performed over 200 audits and secured over $100 billion in value. Their top team of PhDs and security professionals have a combined total of over 1,000 Google Scholar citations. They have audited many blockchain systems, including Ethereum 2.0, Binance Smart Chain, Flow, Cardano, and Avalanche and have secured successful innovative applications such as Maker, Compound, and NBA Top Shot.

QUANTSTAMP AUDIT REPORT FOR SADDLE PROTOCOL - 10 DEC 2020

QUANTSTAMP AUDIT REPORT FOR SADDLE VIRTUAL SWAP – 31 MAR 2021

OpenZeppelin Audit Report

Founded in 2015, OpenZeppelin has set industry standards for building secure distributed systems. OpenZeppelin builds developer tools and performs security audits for distributed systems that power multimillion-dollar economies. OpenZeppelin verifies the distributed systems work as intended by performing an audit. Their engineers fully review the system's architecture and codebase and then write a thorough report that includes actionable feedback for every issue found.

OPENZEPPLIN AUDIT REPORT FOR SADDLE PROTOCOL - 11 DEC 2020

SADDLE ADMIN KEYS SECURITY

A Gnosis Safe multisig secures Saddle’s admin keys. Gnosis is a trusted platform to manage digital assets in Ethereum. Gnosis Safe is a smart contract wallet running on Ethereum, which requires a minimum number of people to approve a transaction before it can occur (M-of-N). This assures that no single person could compromise the funds.

A 3/8 Gnosis Safe multisig secures Saddle's admin keys. The signers are Mariano Conti, Sam Kazemian, DegenSpartan, Klim K, Damir Bandalo, Aurelius, Scoopy Trooples, and Weston Nelson.

Note: The multisig has the capability to pause new deposits and trades in case of technical emergency. Users will always be able to withdraw their funds regardless of new deposits being paused. The multisig can also change the swap/withdrawal fees and the per pool/account deposit limits.

BUG BOUNTY PROGRAM

We encourage the community to help us find bugs or vulnerabilities in the protocol, and offer a bounty to those who do so with good intention. With the passing of SIP-29, the bounty is to be calculated as the lower value of 10% of the total possible exploit, or 5MM SDL. The bounty will be delivered immediately as liquid SDL.

Note: This bounty does not cover any front-end/visual bugs, or any server-side code of any web application that interacts with Saddle. The Saddle Bug Bounty is applicable only to vulnerable smart contract code: defined as contracts deployed by Saddle, on any chain, that manage the value of Saddle’s treasury assets and/or user deposited assets. This bounty is a "no questions asked" policy for disclosures and/or immediate return of funds after any incident.

Reporting Process

Please report any bugs and issues for the Saddle protocol through the Immunefi Saddle bug bounty program. Reports through any other channels will not be considered.

Immunefi Terms & Conditions

These Terms and Conditions cover your participation in the Immunefi Bug Bounty Program. By submitting any vulnerabilities to Saddle Finance or otherwise participating in the Program in any manner, you accept these Terms.