OriginProtocol/security

Materials related to security: docs, checklists, processes, etc...

Repo for public materials related to OUSD security.

Table of Contents

1. Defi incident reports
2. Security materials
3. Checklists
4. Tools
5. External audits

Defi incident reports

• Reports

Security materials

• Solidity security considerations
• Trail of Bits curated list
• Caveats about ecrecover
• 2020 paradigm CTF writeup

Checklists

• ERC20 token integration checklist
• OUSD PR checklist
• OUSD Verbose Contract PR checklist
• OUSD deployment checklist
• Origin Protocol New employee checklist: search for "New employee" on google drive.

Tools

Testing

Slither

Slither is a static analysis tool for Solidity contracts.

How to run it

pip3 install slither-analyzer
cd origin-dollar/contracts
yarn install
yarn run slither

Updating Slither DB

yarn run slither --triage

Running this command will open an interactive console where you can select the errors/warning that you want to be excluded. Once done, commit and push the updated Slither DB file. Note: make sure you are running the latest version of slither on your local.

Echidna

Echidna is a test fuzzer for Solidity contracts.

The Echnida tests for the OUSD contracts are under contracts/contract/crytic.

How to run it

On MacOS and Linux, download the latest pre-compiled binaries from here. Untar the files in a directory and add the path where the echidna-test binary was extracted to your shell's PATH.

To run the tests:

cd origin-dollar/contracts
yarn run echidna

Note that the tests take about ~30min to run.

Transaction viewers

• https://openchain.xyz/trace
• https://tx.eth.samczsun.com
• https://ethtx.info

Bytecode decompilers

• https://library.dedaub.com/decompile

4byte signature databases

• https://openchain.xyz/signatures
• https://www.4byte.directory

External audits

See this directory

Bug bounty program

• Refer to https://docs.ousd.com/security-and-risks/bug-bounties
• Example of a well written bug report