The RAY smart contracts have passed multiple rounds of auditing by Trail of Bits, a leading security research team.
The v1 code is open for review here. RAY's v2 source code will be released soon.
We believe that exposure of monetary value, visibility, and time are the true test for the security of smart contracts. Please exercise caution, and make your own determination of security and suitability.
The disclosure of security vulnerabilities helps us ensure security for our users.
If you believe you’ve found a security vulnerability in one of our contracts or platforms, send it to us by emailing [email protected] . Please include the following details with your report:
Description of the location and potential impact of the vulnerability;
A detailed description of the steps required to reproduce the vulnerability
Identify an original, previously unreported, non-public vulnerability within the scope of RAY as described below.
The primary scope is focused on vulnerabilities affecting the RAY smart contracts, deployed to the Ethereum Mainnet, for contract addresses listed in the developer documentation and used by the current RAY on-chain system.
This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts integrated with RAY by third-party developers are not in-scope, nor are vulnerabilities that require ownership of an admin key.
The secondary scope is for vulnerabilities affecting the RAY User Interface hosted at staked.us/v/robo-advisor-yield that could conceivably result in the exploitation of user accounts.
Finally, test contracts (Kovan and other test-nets) and staging servers are out of scope, unless the discovered vulnerability also affects RAY on Mainnet or the production User Interface or could otherwise be exploited in a way that risks user funds.
We require that all reporters:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Use the identified communication channels to report vulnerability information privately to Staked
Keep information about any vulnerabilities you’ve discovered confidential between yourself and Staked until we’ve had 30 days to resolve the issue
If you follow these guidelines when reporting an issue to us, we commit to:
Not pursue or support any legal action related to your findings
Work with you to understand and resolve the issue quickly, including an initial confirmation of your report within 72 hours of submission.
Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.