Comment on page
The safety of customer funds is our utmost priority.
We have invested in industry-leading security practices covering all aspects of our software development process and the infrastructure which runs our app.
Finally, we have sought review from independent advisors. Our smart contracts are being audited, and an external security consultant has signed off on our internal processes.
Please refer to each section below to learn more about our security.
Our team obey the following mandatory policies:
- machine-generated complex passwords for all services, stored in a secure password manager;
- access to the password manager and all cloud-based services are protected by two-factor authentication - this includes project and team social media accounts;
- secrets are never stored in version control or otherwise shared insecurely;
- no code changes are pushed to production without passing an internal code review;
- we automate testing and deployment upon merging code, and merges to master are blocked by Github policy until code review is complete;
- we avoid phishing by limiting the use of email and blocking attachments.
We also conduct internal training to keep security concepts top-of-mind and share learnings from recently published security breaches.
We use reputable cloud-based infrastructure providers and modern DevOps practices to assure the security of our front end. We use leading tools like Sentry to provide real-time monitoring and alerting.
Our Defense in Depth approach provides an additional safeguard in the event of a security breach.
We have commissioned bespoke monitoring software to interrogate the configuration of our cloud infrastructure – including DNS records and the Content Delivery Network – to immediately alert us in the event of any unauthorized changes. This proactive security monitoring would allow us to take down our website if it were compromised before users could be prompted to sign any fraudulent transactions in their wallets.
We mitigate the risk of software supply-chain attacks by version-pinning our dependencies, subscribing to threat intelligence services, and making careful case-by-case decisions about when to update libraries.
We will not receive user funds until:
- our smart contracts have been audited by a reputable firm;
- we have reviewed the audit results and implemented any recommended changes;
- we have published the audit in our documentation.
We interoperate with other DeFi protocols, for example, GMX and Dopex. While we believe we have chosen reputable, battle-tested protocols to integrate with, these beliefs are based on the public representations made by those protocols. We have not verified the accuracy of any of these claims, and we are not responsible in any way for the security of third-party products.
Users should be aware of the risk that a software bug in third-party protocols, including blockchains and layer two solutions, could result in financial loss. We're not responsible for the security of third-party software. We will not be liable for any loss arising from using third-party software.
We encourage users to do their due diligence, for example, by reading security audits of the blockchains, layer two solutions, and third-party protocols that the user will be interacting with.
Prior to launch, our two in-house security experts created a program of internal checks and affirmations to ensure all team members followed security procedures. This included:
- inventory and ownership of all protocol secrets;
- secure master passwords and 2FA for all accounts (e.g., mail, social media, Github);
- smart contract access;
- multi-sig wallet access;
- ownership and access to keys;
- secure transfer of secrets and sensitive information between team members.
It is essential to D2.Finance that we minimize vulnerabilities and that all team members are rigorous in following procedures designed to protect the protocol and user funds.