By: John Lim (Software Engineer) and David Hamme (Frontend Lead)
You may have seen Saddle in the news more than usual this month, and the reason is: we messed up. Some hacks move the entire ecosystem forward by helping us learn about zero-day vulnerabilities and mutually strengthen our codebases.
So, what has Saddle done since responding to the exploit? And what are we doing next to heighten security at Saddle going forward?
Affected metapools have been migrated to new pools
Three metapools in total were affected by the vulnerability (sUSD Meta V2, tBTC Meta V2, and wCUSD Meta V2). These pools are now labeled as outdated and will be paused indefinitely.
In order to resume pool operations, securely, we have now migrated these three metapools to three new pools which patch the vulnerability, as noted below:
- sUSD Meta V2 → Migrated to sUSD-USDv2_v3
- tBTC Meta V2 → Migrated to tBTCv2-BTCv2_v3
- wCUSD Meta V2 → Migrated to wcUSD-USDv2_v3
These pools are now live, with incentives, on saddle.exchange.
How to move your funds into the new pools
If you LP’ed into one of the three pools that was affected with the vulnerability, and you want to keep your funds in a pool that's earning incentives, you need to take action to move your funds into the new, migrated version of that pool.
The migration is not an automatic process – each user who LP’ed will need to manually move their funds into the new pool.
Fortunately, this will be easy – we’ve set it up to be a one-click migration.
If a user has LP Tokens in a pool, in the Pools page, the user will see a “Migrate” button on the pool. Clicking that button will create a contract interaction which withdraws that user's LP from the old pool, and moves it to the new pool.
Note that if you have staked your LP tokens in the minichef to earn SDL rewards, you will first need to unstake before you may migrate – and any pending SDL rewards will be automatically claimed when you unstake.
Security upgrades at Saddle
What has Saddle done to secure our pools?
We've done security audits before via CertiK, Quantstamp, and OpenZeppelin, and have scored highly on DeFi Safety. Different external security audits cover different aspects of the underlying smart contracts and code – and also have varying coverage and quality across those areas – so we invest in multiple audits to cover all the bases.
After the recent hack, we're investing even more deeply in security. We're currently in the process of soliciting auditors for a follow-up formal audit for the metapool contracts. We're working with Certora to conduct formal verification of all smart contracts. Progress updates on both of these initiatives will be shared out to the community in our Discord.
Saddle is also making improvements internally. Specifically,
- we’re revamping our existing deploy process;
- we’re following process checklists more consistently; and,
- we’re conducting contract deployments with two or more engineers present to increase oversight and knowledge sharing.
We also created pull request templates for contract and frontend repositories. These include:
- Checklists for authors and reviewers to complete to ensure best practices are being followed;
- Manual address verification for external/new contracts;
- Post-deploy library verification to ensure no deprecated contracts are being used in deployments; and
- Post-deploy automated tests against forked Mainnet.
Scripts have been written to make this verification process as simple as possible. Other effective practices we’re implementing include:
- Increased automated monitoring, including using Open Zeppelin Defender to monitor the virtual price and connect to alerting tools;
- Investigating homegrown monitoring solutions to support more use cases and chains;
- Enforcing best practices for contract naming and semantic versioning;
- Adding contract and token addresses to Saddle’s UI (link); and
- Fixing Slither tests (link).
With these steps in place, we are confident that Saddle is as secure as peer DeFi protocols – and getting more secure.
Incentives are live on migrated metapools
Incentives are live on the migrated pools as of today. So, head on over to the Saddle dApp at saddle.exchange to LP and join the migration to the new pools.