Security & Audits
eUSD smart contracts are developed by Membrane Finance in close collaboration with Equilibrium. In addition to thorough internal testing and auditing, all of our production code is audited by third-parties.
Audits
Please note that the eUSD smart contract is a clean fork of the EUROe smart contracts, and hence the below are references to the EUROe smart contract. The USD e-money smart contracts have been audited by PeckShield in July 2022 and by Runtime Verification in December 2022. Please find a complete list of the audits, summary of findings, and smart contract changes between and after the audits below. Audits have been bolded.
2022/07 PeckShield
The audit was started at commit b011a0d and concluded (with changes reviewed up until) commit 02bb9c7.
PeckShield found 1 medium and 1 informational finding. The former was confirmed and the latter resolved.
The full audit report is available for download here. Alternatively, you can view the report on PeckShield's GitHub here.
Changes from 2022/07 to 2022/12
- Added a normal mint function in commit 7c7164f
- Renamed eEURO to EUROe in commit 3113259
- Added rescuer and burner roles in commit e797a6c
- Made further name changes in commit 3a57311
- Improved contract documentation in commits 72487d9 and cd94c71
- Made a change to accepted compiler Solidity versions in commit f11328c
- Added a gap to add new variables without shifting down storage in the inheritance chain in commit d194177
- Remove support for the renounceRole() -function in commit 4868177
Changes in other commits have focused on deployment scripts, tests, and documentation.
2022/12 Runtime Verification
The audit formally commenced at commit 4868177.
One high severity finding was raised along with four informational findings. All findings have been addressed since the audit.
The following commits addressed the findings of the Runtime Verification:
The full audit report is available for download here. Alternatively, you can view the report on Runtime Verification's GitHub here.
Changes after 2022/12
- A commit was mistakenly made to main branch in commit 2abb003 which was reverted in commit 053522d. Following the incident we have turned on branch-protection in all public repos. All production repos had branch protection turned on.
- Change the state-changeness of a overriden function in commit 255439f
- Added a legal disclaimer to the contract & modified NatSpec in commit a64c0b9
Security & Bugs
Membrane Finance has an active bug bounty. Please refer to our Security and Bugs page for information regarding bug bounties and eUSD security.
Testing
All eUSD systems, including the stablecoin, are subject to rigorous internal and external testing before release. Our testing process includes, but is not limited to, automated unit and E2E tests along with manual review and code & logic audits. All production code is internally peer reviewed. Furthermore, we place a heavy emphasis on system security. Hence, all smart contracts are audited by third-parties.
EVM Implementation JS Tests
You can find the automated stablecoin tests on Github. The test coverage report is available on Github as PDF.
EVM Implementation Foundry Tests
In addition to the JS tests provided above, which are actively maintained, a limited set of Foundry tests is provided in the feat/foundry_tests branch, available on Github.
Solana Implementation Tests
Automated unit & integration tests for the Solana implementation are not publicly available.