At Bluefin, our mission is to build a decentralized ecosystem that excels in performance, user experience, and security. Our development practices are guided by stringent security protocols and a commitment to transparency.
Audited By:
- PeckShield
- Halborn
- Trail of Bits
- OtterSec
In addition, our platform undergoes continuous security audits through Hackenproof bug bounty programs:
Audit Reports:
Here is a link to our latest audit reports:
Frequently Asked Questions (FAQs)
What measures does Bluefin take to prevent Private Key Compromise?
At Bluefin, we utilize multi-signature wallets to secure critical actions performed on our smart contracts, such as upgrades and parameter updates. For instances where a hot wallet is necessary, like with our liquidator operators who ensure system solvency, we employ AWS Key Management Service (KMS). AWS KMS ensures that private keys cannot be extracted, adhering to AWS's strict security policies.
How do you protect your transactions?
Every transaction on our perpetuals platform requires signatures from both the taker and the maker. These signatures are rigorously validated twice—first off-chain and then on-chain. Additionally, each transaction undergoes multiple layers of validation and compliance checks to ensure integrity and adherence to our security standards.
What if your settlement operators are hacked?
Our settlement operators play a crucial role in interfacing with smart contracts and placing orders. However, even in the event of a compromise, the requirement for dual signatures (from both the maker and the taker) ensures that malicious actors cannot execute unauthorized trades. This dual-signature mechanism provides an additional layer of security against potential breaches.
What if there is still a compromise of your system?
At Bluefin, we adopt an "assumed compromise" philosophy. We have robust alerting systems in place to detect any abnormal activities in trades, withdrawals, and smart contract interactions. If a breach is confirmed, our Guardian methods are activated to pause all trading operations from the Margin Bank. Furthermore, we diversify our funds by keeping the majority in cold storage rather than in smart contracts or hot wallets. These cold storage funds act as a reserve to cover any potential losses in extreme scenarios.
What happens to the USDC I’ve deposited?
The USDC you deposit is directly transferred into our open-source smart contracts, which are non-custodial. This means that only you or the trading algorithm can access these funds to collateralize your positions. Bluefin has no custody over your assets.
Traders interact solely with transparent, non-custodial smart contracts, ensuring that no central party has control over your funds and transactions. You retain full control, allowing you to cancel trades and withdraw your profits to your personal wallet at any time.
How do you ensure the security of smart contracts?
Smart contract security is critical at Bluefin. Our smart contracts undergo extensive testing, including unit tests and integration tests. We also conduct regular code audits with reputable security firms like PeckShield, Halborn, Trail of Bits, and OtterSec. Furthermore, our smart contracts are continuously audited by external security researchers via a BugBounty at HackenProof.
Additionally, Bluefin secures its APIs by employing rate limiting to prevent abuse and also advanced DDoS protection mechanisms to ensure the platform remains accessible and operational even under attack.
What is Bluefin's approach to vulnerability management?
Bluefin adopts a proactive approach to vulnerability management. We continuously monitor our systems for vulnerabilities using automated tools and perform regular manual audits. When a vulnerability is identified, we follow a structured process to assess its impact, prioritize remediation efforts, and deploy patches promptly. Our bug bounty program with Hackenproof also helps us identify and address vulnerabilities reported by the security community.