Security Rating Level: 3
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 80)

1.1 Project age (8%; 50)
Launched on mainnet from 2020 November, alive for 8 months.
1.2 Past exploits (8%; 100)
Was never attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO, Anton Bukov started software proramming from 2011

2. Exposure (Weight 25%; Score 55.4)

2.1 Historical TVL (17.5%; 47)
Average market share in the past 2Q: 3.1%, 2.8%
Data collected from 1inch Liquidity Protocol | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 80)
1inch is an exchange aggregator
2.3 Infrastructure (2.5%; 65)
Chainlink is used for price feed. Single decentralized oracle

3. Audit (Weight 35%; Score 99)

Audit report available on: GitHub - 1inch/1inch-audits
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by OpenZepplin, Certik, Chainsulting, Coinfabrik, Hacken, Haechi, MixBytes, Scott Bigelow, Slowmist, Tier 1 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 40)

Repository on github: GitHub - 1inch/liquidity-protocol
4.1 Documentation
No top level documentation exists but not in full details. Minimal comments.
4.2 Test
Insufficient test suites.

5. Developer community (Weight 5%; Score 30)

5.1 Bug bounty program (3.5%; 0)
Not exists
5.2 Issues raised on Github (1.5%; 100)
31 issues raised on github repository

The N-SCOSS for Compound is 72, level 3

1inch remained its security level at 3, as re-evaluated on 2021 December 20th.

Though 1inch stayed in the same security level, the N-SCOSS got significantly improved by 8 from last evaluation, mainly contributed by its enhanced test results and developer activity. Last time the test suite was incomplete and code coverage could not be found while now it was clearly indicated in the coverage report. Furthermore, a bug bounty program was built with a reward of 200k.

Noted that the market share dropped significantly from ~3% to less than 0.1%. We will keep this under close monitor.

Below are the details of updated rating for 1inch based on data up to 2021 December 20th.

Security Rating Level: 3
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 November, alive for 14 months.
1.2 Past exploits (8%; 100)
In the past 12 months, 1inch was not attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO, Anton Bukov started software proramming from 2011

2. Exposure (Weight 25%; Score 52.6)

2.1 Historical TVL (17.5%; 43)
Average market share in the past 4Q: less than 0.1%, less than 0.1%, 0.1%, 0.5%
Data collected from 1inch-network Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 80)
1inch is an exchange aggregator
2.3 Infrastructure (2.5%; 65)
Chainlink is used for price feed. Single decentralized oracle

3. Audit (Weight 35%; Score 99)

Audit report available on: GitHub - 1inch/1inch-audits
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by ABDK, Chainsulting, Coinfabrik, IgorGulamov, Mixbytes, Pessimistic, Consensys Diligence, OpenZepplin, Tier 1 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 65)

Repository on github: GitHub - 1inch/liquidity-protocol
4.1 Documentation
Top level documentation exists but not in full details. Minimal comments.
4.2 Test
Full test suites exist with a code coverage of 77%.

5. Developer community (Weight 5%; Score 78)

5.1 Bug bounty program (3.5%; 90)
Exists. Reward up to $200,000.
5.2 Issues raised on Github (1.5%; 50)
2 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 79.85, level 3