Security

Philosophy

The safety of customer funds is our utmost priority.
We have invested in industry-leading security practices covering all aspects of our software development process and the infrastructure which runs our app.
Finally, we have sought review from independent advisors. We are having our smart contracts audited and our internal processes have been signed off by an external security consultant.
Please refer to each section below to learn more about our security.

Best Practices

Our team obey the following mandatory policies:
  • machine-generated complex passwords for all services, stored in a secure password manager;
  • access to the password manager and all cloud-based services are protected by two-factor authentication - this includes project and team social media accounts;
  • secrets are never stored in version control or otherwise shared insecurely;
  • no code changes are pushed to production without passing an internal code review;
  • we automate testing and deployment upon merging code, and merges to master are blocked by Github policy until code review is complete;
  • we avoid phishing by limiting the use of email, and blocking attachments.
We also conduct internal training to keep security concepts top-of-mind and share learnings from recent published security breaches.

Frontend Security

We use reputable cloud-based infrastructure providers and modern DevOps practices to assure security of our frontend. We use leading tools like Sentry to provide real time monitoring and alerting.
Our Defense in Depth approach provides an additional safeguard in the event of a security breach.
We have commissioned bespoke monitoring software to interrogate the configuration of our cloud infrastructure – including DNS records and the Content Delivery Network – to immediately alert us in the event of any unauthorized changes. This proactive security monitoring would allow us to take down our website if it were compromised, before users could be prompted to sign any fraudulent transactions in their wallet.
We mitigate the risk of software supply-chain attacks by version pinning our dependencies, subscribing to threat intelligence services, and making careful case-by-case decisions about when to update libraries.

Smart Contract Security

We will not receive user funds until:
  • our smart contracts have been audited by a reputable firm;
  • we have reviewed the audit results and implemented any recommended changes;
  • we have published the audit in our documentation.

Composability

We interoperate with other DeFi protocols, for example GMX and Dopex. While we believe we have chosen reputable, battle-tested protocols to integrate with, these beliefs are based on public representations made by those protocols. We have not verified the accuracy of any of these claims and we are not responsible in any way for the security of third party products.
Users should be aware of the risk that a software bug in third party protocols, including blockchains and layer 2 solutions, could result in financial loss. We make no representations as to the security of third party software. We will not be liable for any loss arising from the use of third party software.
We encourage users to do their own due diligence, for example by reading security audits of the blockchains, layer 2 solutions, and third party protocols that the user will be interacting with.

Internal Security Audit

Prior to launch, our two in-house security experts created a program of internal checks and affirmations to ensure all team members were following security procedures. This included:
  • inventory and ownership of all protocol secrets;
  • secure master passwords and 2FA for all accounts (e.g. mail, social media, Github);
  • smart contract access;
  • multisig wallet access;
  • ownership and access to keys;
  • secure transfer of secrets and sensitive information between team members.
It is important to D-Squared that we minimize vulnerabilities and all team members are rigorous in following procedures designed to protect the protocol and user funds.