Security Rating Level: 5
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 100)
Launched on mainnet from 2017 December, alive for 40 months.
1.2 Past exploits (8%; 100)
Was never attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 20)
Unknown

2. Exposure (Weight 25%; Score 96)

2.1 Historical TVL (17.5%; 100)
Average market share in the past 4Q: 16.6%, 17.8%, 19.5%, 26.4%
Data collected from Maker | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 85)
Maker is a lending protocol (no flashloan allowed)
2.3 Infrastructure (2.5%; 90)
Oracle is needed for price feed. Multiple centralised oracles.

3. Audit (Weight 35%; Score 100)

Audit report available on: mcd-security/Audit Reports at master · makerdao/mcd-security · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by Trail of Bits and PeckShield, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%, 15)
Core smart contracts audited by multiple firms, Formal verification done, audit done before deployment

4. Code quality (Weight 15%; Score 80)

Repository on github: GitHub - makerdao/dss: Dai Stablecoin System
4.1 Documentation
Top level documentation is detailed and clear.Minimal comments in explaining how the code connects to the oriented functions.
4.2 Test
Full test suite exists, but code coverage not visible.

5. Developer community (Weight 5%; Score 86)

5.1 Bug bounty program (3.5%; 80)
Exists. Reward up to $100,000
5.2 Issues raised on Github (1.5%; 100)
50 issues raised on github repository.

The N-SCOSS for Compound is 93.7, level 5

Maker keeps its security level at 5, as re-evaluated on 2021 December 20th.

One exploit happened after last evaluation. According to Slowmist hack zone, the hack in September was due to a loophole in the distribution system of SHO participants, which fall under our policy coverage. Therefore the score of pillar 1 dropped by 12. Another area to note is the decreased developer activity indicated by the number of issues raised in the repository. But the overall impact is not significant enough to bring Maker down to the next security level.

Below are the details of updated rating for Maker based on data up to 2021 December 20th.

Security Rating Level: 5
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 80)

1.1 Project age (8%; 100)
Launched on mainnet from 2017 December, alive for 49 months.
1.2 Past exploits (8%; 50)
In the past 12 months, Maker was hacked once in 2021 September (loss ~4mil)
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 20)
Unknown

2. Exposure (Weight 25%; Score 96)

2.1 Historical TVL (17.5%; 100)
Average market share in the past 4Q: 11.5%, 11.2%, 11.8%, 12.6%
Data collected from Makerdao Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 85)
Maker is a lending protocol (no flashloan allowed)
2.3 Infrastructure (2.5%; 90)
Oracle is needed for price feed. Multiple centralised oracles.

3. Audit (Weight 35%; Score 100)

Audit report available on: mcd-security/Audit Reports at master · makerdao/mcd-security · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by Trail of Bits and PeckShield, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%, 15)
Core smart contracts audited by multiple firms, Formal verification done, audit done before deployment

4. Code quality (Weight 15%; Score 80)

Repository on github: GitHub - makerdao/dss: Dai Stablecoin System
4.1 Documentation
Top level documentation is detailed and clear.Minimal comments in explaining how the code connects to the oriented functions.
4.2 Test
Full test suite exists, but code coverage not visible.

5. Developer community (Weight 5%; Score 77)

5.1 Bug bounty program (3.5%; 80)
Exists. Reward up to $100,000
5.2 Issues raised on Github (1.5%; 70)
9 issues raised on github repository.

The N-SCOSS for Compound is 90.85, level 5