Security

At Staked, our mission is to help investors earn yield on their crypto securely. Please exercise caution, and make your own determination of security and suitability.

At Staked, our mission is to help investors earn yield on their crypto securely. The smart contracts passed multiple rounds of auditing by Trail of Bits, a leading security research team.

The code is open for review here. We believe that exposure of value, visibility, and time are the true test for the security of smart contracts. Please exercise caution, and make your own determination of security and suitability.

Vulnerability Disclosure Policy

The disclosure of security vulnerabilities helps us ensure the security of our users.

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our contracts or platforms, send it to us by emailing staked@staked.us . Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;

  • A detailed description of the steps required to reproduce the vulnerability

Scope

Identify an original, previously unreported, non-public vulnerability within the scope of RAY as described below.

The primary scope is focused on vulnerabilities affecting the RAY smart contracts, deployed to the Ethereum Mainnet, for contract addresses listed in the developer documentation and used by the current RAY on-chain system.

This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts integrated with RAY by third-party developers are not in-scope, nor are vulnerabilities that require ownership of an admin key.

The secondary scope is for vulnerabilities affecting the RAY User Interface hosted at staked.us/v/robo-advisor-yield that could conceivably result in exploitation of user accounts.

Finally, test contracts (Kovan and other testnets) and staging servers are out of scope, unless the discovered vulnerability also affects RAY on Mainnet or the production User Interface or could otherwise be exploited in a way that risks user funds.

Guidelines

We require that all reporters:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing

  • Use the identified communication channels to report vulnerability information privately to Staked

  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Staked until we’ve had 30 days to resolve the issue

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your findings

  • Work with you to understand and resolve the issue quickly, including an initial confirmation of your report within 72 hours of submission.

  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.