Shieldify 🤝 Geode Finance: A comprehensive audit for a complex protocol!

Plus our methodology for auditing this De-Fi behemoth.

We at Shieldify really value challenges and the ability to work on them. This allows us to demonstrate our skills while fostering a more solid relationship with the protocol’s team, question after question. This is also how we can describe our experience with our partners at Geode Finance.

The following post will observe the audit report that we have prepared for their project, together with our methodology towards it.

About Geode Finance

Geode Finance presents an innovative protocol catering to DAOs, providing an ETH2 staking solution for their users. The protocol allows any entity or organization to create publicly or privately branded staking pools while enabling a wide variety of customization as well. Thus, eliminating the need for substantial development and research expenses for DAOs and organizations.

The protocol allows any entity or organization to create publicly or privately branded staking pools, eliminating the need for substantial development and research expenses for DAOs and organizations.

Consequently, this empowers them to offer staking-as-a-service efficiently and securely, without the need for trust between parties.

About Shieldify

That is the brainchild of three blockchain developers who decided to give value to the web3 ecosystem by protecting protocols. Shieldify is a small boutique blockchain security company that specializes in auditing code written in the Solidity programming language for any EVM-compatible network.

We believe that we are among the few organizations that bridge the gap and successfully balance the benefits of a large auditing company, together with the flexibility, ease of communication, and meticulous attention to customer satisfaction, which are recently becoming more and more evident among solo auditors.

Shieldify cherishes actual partnerships more than one-off audits. This is why we implemented a subscription-based price model that ensures we keep in touch and support our customers even after the audit report has been submitted.

Learn more about us at shieldify.org

Geode Finance’s Mechanics in a Nutshell

No nutshell is big enough to contain those, but we will try.

One of the greatest features of Geode Finance is that it is … hard. Especially when wrapping your head around it for the first time. And this is what we actually loved the most about it! The modularity, the limited upgradeability, and the beating heart of Geode’s machine — the Portal.

The Portal serves as the core of the Geode protocol, responsible for essential functions such as establishing and managing customizable staking pools, minting new tokens, safeguarding ether until it is staked in a validator, and facilitating the onboarding of operators to the marketplace.

Additionally, it oversees the management and regulation of the operator marketplace, ensures smooth implementation of new functionalities, protects its codebase from governance, and handles various oracle-related tasks.

Audit Summary

Shieldify spent a total of 72 person days auditing the protocol with a total audit duration of three and a half weeks. The audit report was submitted on the 18th of July 2023 and its prime task was to add an additional security layer to Geode Finance, prior to their testnet release.

It is essential to note that prior to this audit, the project had undergone multiple audits, both internal and external. Despite the still ambiguous nature of severity classification in the web3-sec niche, we at Shieldify do our best to not exaggerate our findings. This, together with the ingenious expertise of the developers of Geode led us to identify only findings classified as Low and Informational. They were in the context of storage gaps, probability of hash collisions and address 0 checks, among other less impactful ones.

Geode Finance’s team opted for a gas-optimization report as well, which is also included in the final report.

We would like to extend our congratulations to the Geode team for their exceptional work! The codebase exhibits a high level of documentation and writing quality, with only minor exceptions, and demonstrates comprehensive test coverage.

Auditing Methodology

Shieldify’s approach towards every audit, Geode Finance’s included, can be outlined in several steps:

1. R̶e̶a̶d̶ Understand the Documentation

Being one of our favorite parts of the auditing process, grasping the concept and documentation was actually one of the most challenging tasks for us at Shieldify. We spent close to 30% of the total audit timeline on that step alone. However, we leveraged that it is the three of us and had regular cross-explanation sessions during the entire first week. Frequent communication with the Geode team also clarified some of the key technicalities that were not evident to us initially.

2. Supplement the docs reading with simultaneous code skimming

The second step of the process is to create a map of the documentation and its corresponding code in the smart contract. We always go for a 70x100 cm blank piece of paper here and draw flow charts that describe sections from the documentation to the code that they explain. Sometimes, Notion also comes in handy for this.

3. Add comments to the code

This step unites the work done during steps 1 and 2 and acts as a sieve. We annotate the core ideas and explanations in the code itself.

4. Running the Tests

Here, we fortify the knowledge and understanding, generated in the steps until this one. Any misconceptions are ruled out by the tests.

5. Hunting for findings and referencing the docs again

This is the step where the actual bug hunting takes place. Everything identified is written down and allocated a severity category.

6. Assembling the individual audits into one

Each of the three auditors performs the aforementioned steps individually. Once everyone completes their respective assessments, an intensive final week ensues, involving cross-checking and assembling the three individual reports in a unified one in .md format. This comprehensive report is then submitted to the customer.

7. Getting feedback from the protocol’s engineering team

Once the .md version of the report is handed to the customer, we undertake several in-depth talks with the team about the protocol to get their feedback and schedule a deadline for the fixes commit hash.

8. Adding Makeup

By this time, the report is fully ready, with the customer’s response to every finding attached, together with the fixes commit hash. This updated version of the report is then converted to a final sleek-looking PDF with the help of Pandoc and Latex.

Closing Thoughts

Partnering with the team behind Geode has been a really delightful experience in all forms. Their ground-breaking idea deserves traction and adoption from the Ethereum community. It lays the foundation of an entirely new staking segment in the web3 ecosystem, that will allow DAOs to provide new forms of value to their members.

Best of luck, to the Geode Finance team! Success awaits them!! 🙌 🚀

Read the audit report here.