DeFi Saver and security

All of the actions performed using DeFi Saver are done in a trustless manner using logic stored in DeFi Saver’s smart contracts.

The source code of DeFi Saver smart contracts is publicly available in our Github repository and you can find additional information on our smart contracts architecture in our developer docs.

Audits

DeFi Saver Automation has been audited in February 2021 by Dedaub and you can find our brief summary post here.

Smart contracts powering the new DeFi Saver architecture and the Recipe Creator have been audited by ConsenSys Diligence and Dedaub. You can find more info in one of our blog posts, as well as both of the reports here.

We want to highlight the importance of external audits and note that all feature releases and integrations will be audited before they are deployed in production.

Insurance

We are looking into adding options of utilising DeFi insurance protocols directly within the app in the future and will share any details on this as soon as this functionality is ready.

Historical security issues

As of now, there have been two security incidents at DeFi Saver:

  1. Exchange vulnerability discovered in June 2020, affecting users of our separate Exchange users from early 2020 until that point. No funds were lost or stolen. No other parts of the app were affected. More info can be found here.

  2. Compound import (migrate) contract vulnerability discovered in January 2021, affecting users that specifically used the import (migrate) option for their Compound position. No funds were lost or stolen. No other parts of the app were affected. More info can be found here.

How to stay safe using DeFi Saver?

We can never emphasize the importance of staying safe when using decentralized finance protocols and apps. Besides the always present smart contract risk, there are several additional factors that one should consider and pay attention to stay safe from scam attempts in the form of phishing, cloaking, fraudulent search adverts, and others.

Here are several things you should always keep in mind when using DeFi Saver:

  • Always check the URL One of the most frequent scams is tied to users using search engines to visit our website and application. Scammers love to abuse search engines to direct users to “copies” and fake versions of our website. Always make sure that the URL you are visiting to interact with our app is defisaver.com and app.defisaver.com. The easiest way to mitigate the risk of opening a fraudulent, fake site is to bookmark the URL and always open DeFi Saver through the bookmark.

  • Beware of search engine ads While we may promote DeFi Saver using search engine ads in the future, this is currently not the case and search ads are unfortunately often the way that scammers will try to get users to a fake site where they will try to drive users into giving away their private key or secret words (seed phrase). This is most often done using URLs that resemble defisaver.com. For example, there have recently been deflsaver.com and defsaver.com. If you ever notice anyone impersonating our app, please report this to us via Twitter, Discord, or the in-app chat widget.

To wrap up, we will never ask for:

  • Your private key

  • Your seed phrase

  • Your MetaMask or other web3 wallet passwords

However, your Ethereum Public Address is what you may share with anyone. Wallet addresses can be shared safely with anyone from whom you want to receive cryptocurrency of a certain type. No one can steal your digital assets by knowing only your wallet’s public address. We may ask you to provide it in case you require assistance from us regarding potential issues.

Last updated