[Ethereum] SushiSwap - Security Rating 3

Security Rating Level: 2
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 25)

1.1 Project age (8%; 50)
Launched on mainnet from 2020 September, alive for 7 months.
1.2 Past exploits (8%; 0)
Was attacked twice
1.3 Team anonymity (2%; 30)
Team are anonymous
1.4 Team experience in programming (2%; 20)
Unknown

2. Exposure (Weight 25%; Score 76.4)

2.1 Historical TVL (17.5%; 72)
Average market share in the past 3Q: 8.1%, 6.2%, 6.0%
Data collected from SushiSwap
2.2 Industry segment (5%; 90)
SushiSwap is an exchange
2.3 Infrastructure (2.5%; 80)
No oracle needed for price feed

3. Audit (Weight 35%; Score 90)

Audit report available on: GitHub - quantstamp/sushiswap-security-review and publications/PeckShield-Audit-Report-SushiSwap-v1.0.pdf at master · peckshield/publications · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by PeckShield and Quantstamp, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 30)

Repository on github: GitHub - sushiswap/sushiswap: Sushiswap smart contracts 🍣 📝
4.1 Documentation
Documentation is not clear
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 85.5)

5.1 Bug bounty program (3.5%; 90)
Exists. Reward up to $150,000
5.2 Issues raised on Github (1.5%; 75)
8 issues raised on github repository

The N-SCOSS for Compound is 64.375, level 2

SushiSwap is rated at security level at 3, as re-evaluated on 2021 December 20th.

SushiSwap gained higher score in pillar 1 by lasting stably for another 9 months, and also occurring no more attacks after last evaluation. Besides, a more active developer activity indicated by increased rewards in bug bounty and more issues under discussion led to a score increase in pillar 5. Overall these improvement resulted in an upgrade in security level.

Below are the details of updated rating for SushiSwap based on data up to 2021 December 20th.


Security Rating Level: 3
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 57)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 September, alive for 16 months.
1.2 Past exploits (8%; 50)
In the past 12 months, SushiSwap was attacked once in 2021 January (loss ~81 ETH)
1.3 Team anonymity (2%; 30)
Team are anonymous
1.4 Team experience in programming (2%; 20)
Unknown

2. Exposure (Weight 25%; Score 82)

2.1 Historical TVL (17.5%; 80)
Average market share in the past 4Q: 3.4%, 3.4%, 3.9%, 4.8%
Data collected from Sushiswap Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 90)
SushiSwap is an exchange
2.3 Infrastructure (2.5%; 80)
No oracle needed for price feed

3. Audit (Weight 35%; Score 90)

Audit report available on: GitHub - quantstamp/sushiswap-security-review and publications/PeckShield-Audit-Report-SushiSwap-v1.0.pdf at master · peckshield/publications · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by PeckShield and Quantstamp, Tier 2 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 5)
Core smart contracts audited by multiple firms

4. Code quality (Weight 15%; Score 30)

Repository on github: GitHub - sushiswap/sushiswap: Sushiswap smart contracts 🍣 📝
4.1 Documentation
Documentation is not clear
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 97)

5.1 Bug bounty program (3.5%; 100)
Exists. Reward up to $1,250,000
5.2 Issues raised on Github (1.5%; 90)
39 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 72.75, level 3