Back to all stories
Case Study
CompliFi Secures their AMM with a CertiK Security Audit
CompliFi Secures their AMM with a CertiK Security Audit

The codebase for CompliFi’s automated market maker (AMM) pool contract has undergone an audit by the CertiK Auditing Team. Through the utilization of this AMM, anyone is able to create a pool and finalize it, following that any user is able to join the pool and receive pool tokens. The summary of the audit and its findings follows up.

Use-Case Profile

CompliFi Protocol comprises a decentralized protocol for issuing a wide range of financial derivatives without the risk of default, liquidations, or collateral calls.

In early February, CompliFi expanded their product offering beyond the aforementioned derivatives issuance protocol to include an AMM focused on handling extremely volatile assets. End users of risk can now purchase a range of x5 leveraged tokens, with more instruments set to arrive in the future.

The CompliFi AMM makes a number of changes from the conventional AMM design:

  • Slippage and prices are disconnected from pool balances
  • Derivatives are re-priced at the beginning of every block to drastically limit arbitrage opportunities
  • LP market risk is actively managed using dynamic trading fees and exposure limits.
  • Integrating bulk asset selling into their design

Read more on all things CompliFi here

Code Review & Auditing Process

The CompliFi AMM codebase was reviewed between March 10th - March 23rd, 2021, utilizing a combination of static analysis and manual review. The findings identified mainly refer to optimization issues, with a few minor and medium level issues.

The CertiK Professional Services team assigned to SpiderDAO reviewed the code implementation for a plethora of smart-contract-oriented functions, effectively going through the most significant parts of the codebase responsible for the core functionality of the system, as pointed out in the project’s statements.

The auditing process focuses on the following considerations:

  • Testing smart contracts against both common and uncommon attack vectors.
  • Assessing the codebase to ensure compliance with current best practices and industry standards.
  • Ensuring contract logic meets the specifications and intentions of the client.
  • Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
  • Through a line-by-line manual review of the entire codebase.

A total of 25 vulnerabilities, or informational issues, have been identified. The Security Team identified 19 informational issues, 4 minor vulnerabilities, and 2 medium vulnerabilities. The CompliFi team has remediated 22 out of the 25 identified issues, including all minor and medium vulnerabilities.

You can review the full audit here.

About CompliFi

CompliFi is a combination of a derivative issuance protocol and AMM on Ethereum, designed to entirely eliminate counterparty risk. It allows users to structure, issue and trade a wide variety of synthetic risk assets, without ever facing collateral calls and liquidations.

CompliFi is dedicated to reaching the highest level of decentralization and has been designed from the outset to eschew all authority over user funds.

About CertiK

CertiK is an edge-standards cybersecurity firm founded by Computer Science professors hailing from Yale and Columbia University respectively, aiming to improve the security and correctness of smart contracts and blockchain protocols on a global scale.

Leveraging a seasoned team of multi-skilled engineers and security auditors, CertiK’s mission is to apply a plethora of high-level industry practices, covering the entire spectrum of static, manual, and dynamic analyses, in order to ensure each project subject to a formal audit is up-to-date with modern security standards while offering their services to the broader DLT community.

Over the past few years, CertiK has serviced more than 100 top-shelf blockchains, DeFi protocols, among other complex and/or custom smart contracts, including but not limited to Binance, Tera, Bancor, Shapeshift, and Blockstack.

Consult with one of our experts at

Stay connected!

Website| Twitter| Linkedin| GitHub| CertiK Shield