Security Rating Level: 4
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 80)

1.1 Project age (8%; 100)
Launched on mainnet from 2017 Aug, alive for 44 months.
1.2 Past exploits (8%; 50)
Was attacked once
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO, Yudi Levi, started software proramming from 2011

2. Exposure (Weight 25%; Score 66.5)

2.1 Historical TVL (17.5%; 60)
Average market share in the past 4Q: 1.6%, 0.9%, 0.8%, 0.9%
Data collected from Bancor | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 90)
Bancor is an exchange
2.3 Infrastructure (2.5%; 65)
Oracle is needed for price feed (Chainlink), a decentralised single oracle

3. Audit (Weight 35%; Score 87)

Audit report available on: Security - Bancor Network
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by PeckShield, Certik, Halborn and Consensys Dilligence, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues were found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 90)

Repository on github: GitHub - bancorprotocol/contracts-solidity: Bancor Protocol Contracts
4.1 Documentation
Excellent top level documents with sufficient comments explaining the codes
4.2 Test
Full test suite exists, but code coverage not visible

5. Developer community (Weight 5%; Score 69)

5.1 Bug bounty program (3.5%; 60)
Exists. Reward up to $45,000
5.2 Issues raised on Github (1.5%; 90)
17 issues raised on github repository

The N-SCOSS for Compound is 80.025, level 4

Bancor v2.1 remained its security level at 4, as re-evaluated on 2021 December 20th.

No hack happened after last evaluation. As a result, hack number in the past 12 months moved from 1 to 0, giving a score raise for pillar 1. Pillar 5 score is also improved as the bug bounty award raised from 45k to 100k.

Please note that the evaluation was conducted to Bancor v2.1, the latest version. In last evaluation, there was a mistake in the launch date and it has been corrected this time.

Overall Bancor v2.1 proved its stability and security in the past 9 months.

Below are the details of updated rating for Bancor v2.1 based on data up to 2021 December 20th.

Security Rating Level: 4
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 October, alive for 15 months.
(Note that in the first post I mistakenly took the launch month as 2017 August, which was Bancor v1 launch month. This error made the final score 4 points higher than it should have been, but this would be compensated by the understated score in 1.2 past exploits, as Bancor v2.1 was not hacked since launch. Therefore, the rating would still be at level 4 if the correct project age and past exploits was adopted)
1.2 Past exploits (8%; 100)
In the past 12 months, Bancor v2.1 was never attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO, Yudi Levi, started software proramming from 2011

2. Exposure (Weight 25%; Score 66.5)

2.1 Historical TVL (17.5%; 60)
Average market share in the past 4Q: 1.0%, 1.2%, 1.5%, 1.5%
Data collected from Bancor Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 90)
Bancor is an exchange
2.3 Infrastructure (2.5%; 65)
Oracle is needed for price feed (Chainlink), a decentralised single oracle

3. Audit (Weight 35%; Score 87)

Audit report available on: Security - Bancor Network
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by PeckShield, Certik, Halborn and Consensys Dilligence, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues were found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 90)

Repository on github: GitHub - bancorprotocol/contracts-solidity: Bancor Protocol Contracts
4.1 Documentation
Excellent top level documents with sufficient comments explaining the codes
4.2 Test
Full test suite exists, but code coverage not visible

5. Developer community (Weight 5%; Score 86)

5.1 Bug bounty program (3.5%; 80)
Exists. Reward up to $100,000
5.2 Issues raised on Github (1.5%; 100)
58 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 83.275, level 4