Security

Security overview of products, platform, substrate, bridges, and everything else produced or used by Parallel Finance. Click the links in the page to view our audits, Github, and learn more

At Parallel Finance we take security of our platform very seriously. With over 22% of the Polkadot Crowdloan DOT locked on our platform, we have heavily invested in ensuring our users’ funds are safe and that they have the peace of mind to achieve their goals through the Parallel Finance platform. The results speak for themselves.

Since inception, as of March 2021, Parallel Finance has grown to over 180,000 users on the Platform. There have been 0 successful attacks against our platform, protocol, or any other part of our ecosystem, including our bridges.

Below we detail the steps we have taken to ensure security. For further technical information, please click on the links within each section.

If you have any technical questions not covered here, please reach out to us on Discord where our community managers will provide you with the information you require.

Security Auditing

Our business logic is embedded in the Rust based smart contract that have been audited several times by top security auditors in the cryptocurrency industry. Below, we have outlined these auditors, the specific areas they have audited, number of times audited, and links to the reports.

Trail of Bits - Listed as the number one security auditor in the world, Trail of bits has been trusted by clients from Parity to DARPA to improve their security. Previous clients include Parity, Origin, Yearn and many others.

  • Substrate Parachain Audit - Between February 22 to March 11, 2022 Trail of Bits conducted a security audit of Parallel Finance’s Substrate Parachain. The team tested for flaws that could compromise confidentiality, integrity, or availability of the target system.

  • The audit did not uncover any significant flaws or defects.

  • Details can be found in the full report linked here (uploading soon).

Halborn - Trusted by major Projects in the cryptocurrency industry such as Polygon, Terra, Aave among others, Halborn is one of the most trusted blockchain and smart contract auditors in the industry.

  • Bridge Solidity Smart Contract Security Audit - Between January 24 to February 14th 2022, Halborn was contracted to identify potential security issues within the bridge solidity smart contracts.

  • Halborn identified a few security risks that have since been addressed by the Parallel Finance team.

  • Details can be found in the full report linked here (uploading soon).

  • Bridge Substrate Pallet - Between January 24 to February 14th 2022, Halborn was contracted to conduct a security audit on Parallel Finance’s Bridge Substrate Pallet.

  • Halborn identified a few security risks that have since been addressed by the Parallel Finance team.

  • Details can be found in the full report linked here (uploading soon).

  • DevOps CI/CD Audit - Between February 1 to February 3, 2022, Halborn was contracted to conduct a review of Parallel Finance’s security policies, procedures, controls, and practices.

  • Halborn identified security risks that have since been addressed by the Parallel Finance team.

  • Details can be found in the full report linked here (uploading soon).

Secfault - Specializing in a wide array of security services ranging from code reviews over penetration testing to security services for agile software development, Secfault was contracted by Parallel Finance to conduct 3 reports. Within these, they focused on testing our major products like crowdloan and are engaged with us at present to audit rest.

SlowMist - Renowned Blockchain security firm, Slowmist has worked with several large clients including: Huobi, Binance, OKEX, Crypto.com,1inch, PancakeSwap, TUSD, and many others.

Blockchain Audit - Between June 1 to June 18, 2021, Slowmist conducted a complete security audit on Parallel Finance’s blockchain. The scope included: DeFi Logical Security, Account and transaction model security, Encrypted signature security, and code static check.

  • SlowMist identified security risks that have since been addressed by the Parallel Finance team.

  • Details can be found in the full report linked report

Protocol Security

We inherit shared security from the greater Polkadot/Kusama ecosystem. Polkadot has a market cap >$17B which makes the cost of an attack extremely high. Our blockchain’s blocks are written into the Relay chain which lets us share this security.

We also inherit the security of Rust which provides many security promises with low level items such as memory and thread safety. As our runtime is compiled to WebAssembly (WASM), we also have strong (unbreakable) security around the machines running our blockchain code. Additionally, everything is sandboxed/partitioned to only allow resources access to their relevant areas of development. In other words, we have built-in security.

Substrate

Parallel Finance uses the blockchain framework to build our parachain. By virtue of building on the Polkadot Network, we have inherited the security of Substrate from parity. Which has been repeatedly battle-tested. To further reduce security risks, we use the substrate blockchain framework to build our parachain. To further reduce the risk, we use standard Substrate Pallets to build our protocol, for example Balances and Assets modules which are native to Polkadot. For more information, explore our Github here

Platform

We are working with top development operations engineers to follow all of the most recent best practices relating to secure compute, key management, key rotation among others. We leverage the great work completed by large cloud providers such as AWS and GCP.

Integration

We currently only integrate directly with the Polkadot ecosystem and will be using XMP/HRMP (built into the greater protocol) for communication with other Parachains. These communication methods have the same security as the overall system. For more information, explore our Github here

Oracle

Parallel Finance utilizes our own native in-house pricing oracle built with several safeguards such as Emergency pricing in case of an extreme event.

More information on our oracle can be found in this link

As can be seen in the image above, we feed price from various reputable sources including the following:

  • Binance

  • Bitfinex

  • Bittrex

  • Coinbase

  • Coincap

  • Kraken

Emergency Shutdown A highly creative innovation within Substrate and Polkadot Framework, is an Emergency Shutdown feature, a last resort in case of an unlikely extreme event such as a hack. Through the combination of incentivized governance, and Parallel Finance council, our parachain can be paused.

We monitor for unusual behavior to catch a hack as soon as it occurs as time of course is relevant. Polkadot and the Substrate Framework’s Emergency Shutdown Feature works best while funds are still within the Polkadot ecosystem. This includes other parachains as well. Once these funds are transferred to other chains such as Ethereum, the recovery process becomes far more difficult.

Hypothetically, if there is a short fall (loss) created due to an issue with our oracle or a hack, through the governance system, the foundation can hold an auction to sell PARA tokens in order to recover some or all of the losses to users.

Overview of the Shutdown Process

  • The process of initiating Emergency Shutdown can either be initiated by Parallel Finance or a decentralized framework

    1. Triggered by Parallel Finance - an emergency sudo key (to explain is more of a root or privileged operation) is held by one person at Parallel Finance

    2. Decentralized Method - 50% +1 member of our Governance council. For example, if we have 10 council members, it would require 6 (50% of 10 + 1) to trigger the emergency shutdown process.

  • If toggled on, the emergency shutdown feature will block most features of the chain (such as interactions with our DEFI products or balance transfers) in order to give time to the council (or sudo key) to deploy an upgrade fixing the issue that prompted the trigger of the emergency shutdown process. While shutdown, transactions on the platform will not be possible.

  • The emergency shutdown feature allows fine tuned control for every product/extrinsic. For example if there is a bug on any certain call, we can immediately activate the emergency shutdown feature via our governance.

  • The council could then vote to use money from the treasury to repay users who have lost funds.

Bridges

Bridges to other Protocols are generally vulnerable to security attacks. This is why we have put significant focus on systems, processes, monitoring, in place as well as several third party security audits to make our bridges as secure as possible. Our engineering team that has built these bridges are some of the most talented and experienced developers from some of the biggest protocols and platforms in the industry.

Below are some details on the aforementioned processes and systems in place:

  1. Monitoring system We have built our own monitor system, which is built according to the needs we have. We monitor our system 24 hours a day, 7 days of the week to continuously ensure security of our bridge. The system is programmed to notify us of numerous potential issues such as:

    1. Whether thresholds/maximum amounts transferred (amounts that we set) have been exceeded

    2. The status of any and all transactions (i.e. transaction failures and successes)

    3. The status of the relayers. Whether the relayers are online or go offline

    4. Whether the connection between relayer and parallel/ethereum is alive or not

  2. Access Control to the Relayers We use relayers to communicate between our network and an outside network. Through the AWS infrastructure such as VPC/IAM, we have implemented access controls to these relayers so that only very few Parallel Finance developers in charge of its development and maintenance have access. We always know who is accessing them.

  3. Rate limit → 1,000,000 USDT/USDC in total

    One decision we have made to further limit the impacts in the unlikely event of a hack is to limit the amount of a cryptocurrency that can be transferred on its relevant bridge. For example, with our Ethereum bridge, once the total transfer amount reaches the cap, we will pause the cross chain feature. Once all of the transactions look good from our team. We could reset the cap or increase the cap to adopt more cross-chain transactions.

  4. Auditing and testing

    The bridge contracts and backend were audited by our partners at Halborn. All issues found by Halborn were addressed by our team. The Bridges went through an extensive testing and QA process just like all our deliveries and products. Click here to be taken to our Audit Section for more details.

  5. Emergency Shutdown

    We have created a “Pauser” account for the contract which can let us stop the contract when necessary. For the parallel chain, we have a council to do the emergency shutdown as well to mitigate the damage we may have.

Last updated