Blog home

Audits

The Ones in the Arena: Float Capital

undefined blog post image
“We don’t want an audit so we can launch and users will trust us. Rather, we want a bounty competition so we can find genuine bugs and exploits in our system, ensuring they are fixed before any real funds are at stake.” — JonJon, Float Capital

The Ones in the Arena spotlights emerging and established DeFi projects and their founders, with an eye to celebrating and learning from them. The series’ name is inspired in part by Teddy Roosevelt’s famous quote, which has a central place in Code4rena’s philosophy.

The people behind Float Capital want finance to be accessible and inclusive. JonJon Clark and his co-founders — a group of collaborators who first met years ago in university — have worked together on several projects, including Wildcards, a playful way to contribute to wildlife preservation. Now they’ve turned their focus towards a new goal: making minting a synthetic asset as simple as performing a token swap.

We spoke with JonJon to get an overview of where Float is heading, and to hear his thoughts on the state of security in DeFi, the pros and cons of different auditing approaches, and what the Float team geeks out on in their spare time.

What are you building, and what sets it apart from similar offerings in the space?

Float Capital is a next generation synthetic asset protocol. Minting synthetic assets is finally as simple as swapping tokens. No overcollateralization, and hence no liquidations.

We have engineered an incentives-based, peer-to-peer liquidity model that provides near-perfect exposure.

What’s your vision for your project? What are you building towards in the longer view?

Our goal is to provide the easiest, simplest and safest way for users to get exposure to any asset, instrument, index, and/or outcome.

What’s the most innovative idea in your protocol?

Exposure to the underlying synthetic asset can “float.” The protocol provides strong economic incentives, through algorithmic adjustments based on market demand and supply of positions, to ensure the synthetic asset closely tracks the value of the underlying asset. Some parallels can be drawn between how algorithmic stable coins incentivize a price target, and how our synthetic assets incentivize an exposure target to the underlying asset class. Allowing synthetic asset exposure to “float” allows the liquidity and universe of synthetic assets to radically scale without the typical constraints of overcollateralization.

“Security has to be a community effort.”

It takes courage to undergo a public audit by a swarm of anonymous security researchers. It also says a lot about how much you prioritize security. What advice would you give to those on the fence?

This will be our 6th set of smart contracts that we will deploy in the ethereum ecosystem, with countless other smart contracts written that have never even made it that far. Before hitting that final truffle deploy --network mainnet (or nowadays hardhat deploy)— we feel a massive responsibility to make sure our systems are as safe as possible!

After going through many traditional audit processes in the past, we began to realize that audits are often more of a shallow checkbox exercise, lacking rigor. The main result being a PDF commenting on code readability, instead of researchers taking time to deeply understand the system and craft creative exploits. (Disclaimer: this is not to say there are not some great audit firms out there, we have also had positive experiences!).

The goal, more than anything else, is to find bugs in our smart contracts, as opposed to simply ticking the checkbox of 'having an audit'. In other words, we don't want an audit so we can launch and users will trust us. Rather, we want a bounty competition so we can find genuine bugs and exploits in our system, ensuring they are fixed before any real funds are at stake. C4 simply creates the perfect incentives to bring this goal into fruition! It’s all about finding the exploits to get paid and less about the frills and show.

Security has become an increasingly vital topic in DeFi. How do you think the ecosystem needs to evolve in order to rise to the challenge?

Security has to be a community effort. From the dev perspective, it’s important we share our insights and testing frameworks when we build these complex systems.

On a different note, a great initiative I’ve seen recently is the upcoming ethereum security bootcamp being championed by one of the C4 wardens Rajeev, who no doubt has plenty of experience. It will be important that the auditing community grows as rapidly as the ethereum ecosystem, and this is aiming to address that!

“All of us are looking to write the safest possible code. Let’s try to be more transparent, and actively share how we are doing this.”

What gets you most excited about DeFi?

For us it has to be the hackathons and meetups in the ecosystem. We’ve met fellow ethereum legends in Berlin, London, Bangalore, Paris, Istanbul and Cape Town over the past 5 years. These events allow everyone to closely collaborate and push the boundaries on what DeFi can do. Plus they are loads of fun!

I wish more DeFi projects would…

Share their findings while building their projects. At Float we are trying our best to share our insights from our unit testing framework for our smart contracts, as well as how this integrates into the graph testing framework we have created. All of us developers are looking to write the safest possible code. Let’s try to be more transparent and actively share how we are doing this. This is especially important when building using so many nascent technologies.

Bi-monthly DeFi dev security meetups? Who’s in?

What DeFi project name do you wish you’d thought of first?

Float Protocol. Just kidding, they are another awesome project doing something completely different, an algorithmic stable currency. So try not to confuse us, Float Capital, with Float Protocol :)

What do you geek out about, beyond DeFi?

Chess has to be a favourite. When we go away together as a team we often bring a 4-player chess set. These games often last till the early hours of the morning, all while we play some loud music, sink a cold beverage, and discuss some of our best protocol ideas.

Learn more about Float:

Float’s $50,000 security audit contest kicks off August 5, 2021 and runs for one week. Details at code4rena.com.

Related Posts

The Ones in the Arena: Krystal blog image
The Ones in the Arena: Doubler blog image
undefined blog image