[Ethereum] RenVM - Security Rating 3

Security Rating Level: 3
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 87)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 May, alive for 11 months.
1.2 Past exploits (8%; 100)
Was never attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 50)
CTO, Loong Wang, started software engineering from 2015

2. Exposure (Weight 25%; Score 64.5)

2.1 Historical TVL (17.5%; 60)
Average market share in the past 4Q: 2.0%, 2.3%, 1.9%, 1.7%
Data collected from RenVM | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 80)
RenVM is a network of virtual computers that power interoperability for DeFi, enabling cross-chain lending, exchanges, collateralization & more (category: other)
2.3 Infrastructure (2.5%; 65)
Chainlink as oracle to feed price. Single decentralized oracle

3. Audit (Weight 35%; Score 87)

Audit report available on: Audits · renproject/ren Wiki · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done. Report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by ChainSecurity, Consensys Diligence and Trail of Bits, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues were found in audit, but fixed by team
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 60)

Repository on github: GitHub - renproject/darknode-sol: An implementation of Darknode smart contracts, written in Solidity
4.1 Documentation
No top level documentation explaining the design of code. Minimal comments in explaining how the code connects to the oriented functions
4.2 Test
Full test suite and code coverage is 99%

5. Developer community (Weight 5%; Score 71)

5.1 Bug bounty program (3.5%; 80)
Exists. Reward up to $100,000
5.2 Issues raised on Github (1.5%; 50)
2 issues raised on github repository

The N-SCOSS for Compound is 76.525, level 3

RenVM remained its security level at 3, as re-evaluated on 2021 December 20th.

Compared to the last evaluation, the only score changed is the one of Developer Activity, improved by 20, as both the bug bounty reward and the number of issues under discussion increased. Note that market share dropped from ~2% to ~0.8%, but not resulting into any impact to score as they are marked in the same rating range.

Below are the details of updated rating for RenVM based on data up to 2021 December 20th.


Security Rating Level: 3
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 87)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 May, alive for 20 months.
1.2 Past exploits (8%; 100)
In the past 12 months, RenVM was not attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 50)
CTO, Loong Wang, started software engineering from 2015

2. Exposure (Weight 25%; Score 64.5)

2.1 Historical TVL (17.5%; 60)
Average market share in the past 4Q: 0.8%, 0.7%, 0.8%, 1.0%
Data collected from Renvm Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 80)
RenVM is a network of virtual computers that power interoperability for DeFi, enabling cross-chain lending, exchanges, collateralization & more (category: other)
2.3 Infrastructure (2.5%; 65)
Chainlink as oracle to feed price. Single decentralized oracle

3. Audit (Weight 35%; Score 87)

Audit report available on: Audits · renproject/ren Wiki · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done. Report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by ChainSecurity, Consensys Diligence and Trail of Bits, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues were found in audit, but fixed by team
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 60)

Repository on github: GitHub - renproject/darknode-sol: An implementation of Darknode smart contracts, written in Solidity
4.1 Documentation
No top level documentation explaining the design of code. Minimal comments in explaining how the code connects to the oriented functions
4.2 Test
Full test suite and code coverage is 99%

5. Developer community (Weight 5%; Score 91)

5.1 Bug bounty program (3.5%; 100)
Exists. Reward up to $1,000,000
5.2 Issues raised on Github (1.5%; 70)
7 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 77.525, level 3