Security is one of the most critical considerations for any blockchain-related project. Rubic’s goal is to deliver a smooth trading experience to our users around the world, so it’s our job to keep users’ funds and our products secure.
To accomplish this goal, we have been putting a lot of effort into significantly enhancing Rubic’s security measures over the past few months, like never before. We’ve engaged with top-notch security engineers, completely rewritten our smart contracts, which have been scrutinized by audits, and we are about to start a brand new bug bounty campaign.
But before diving into Rubic’s safety architecture, let’s take a broader look at market security!
Cross-Chain Swap Security Overview
2022 was the worst year ever for crypto hacking, with $3.8 Billion stolen from cryptocurrency businesses. Hacking activity varied throughout the year, with huge spikes in March and October, with the latter becoming the worst single month ever for cryptocurrency hacking, as $775.7 Million was stolen in 32 separate attacks. DeFi protocols as victims accounted for 82.1% of all cryptocurrency stolen by hackers, a total of $3.1 Billion, up from 73.3% in 2021. Of that $3.1 Billion, 64% came from cross-chain bridge protocols specifically. (Source: 2023 Crypto Crime Report by Chainalysis)
As we see, cross-chain bridges, as a way to transfer tokens between different blockchains, raise many concerns regarding security. The question on everyone’s mind is if there is a better alternative.
Fortunately, cross-chain technology has progressed beyond just cross-chain bridges to now include cross-chain aggregators, ushering in a highly interoperable future. In comparison to cross-chain bridges, cross-chain aggregators combine a huge number of bridges and DEXs, enabling users to transfer assets between blockchains with less time and effort.
The security of cross-chain swaps depends on several factors, including the safety of the underlying blockchains, the design of the cross-chain swap protocol, and the security measures implemented by the exchange platform.
Blockchain Security: The security of the blockchains involved in the swap is a critical factor. If a blockchain is vulnerable to hacking or theft, then the funds stored on that blockchain may be at risk.
Protocol Security: The security of the cross-chain swap protocol is also important. The protocol should be designed to prevent double-spending, ensure the integrity of the swap, and protect users’ funds from theft or fraud.
Exchange Security: The security measures implemented by the exchange platform play a key role in guaranteeing the security of cross-chain swaps. At the least, this includes regular security audits.
The fact that aggregators can integrate numerous systems and manage swaps through various providers influences their security architecture. They can switch off a provider that has stopped working and reroute the user to another functional provider, thanks to the integration of multiple bridges and DEXs.
Let’s closely examine the Rubic cross-chain aggregator and its updated security design.
Rubic Security Upgrade
In the last three months, taking into account all the security breaches, Rubic has significantly reformed its security practices.
Let’s explore what they are:
- New Position: Rubic’s Chief Information Security Officer
As part of the new security measures on Rubic.exchange, which include auditing new Rubic contracts, we have established the new position of CISO, and hired Alex to assist with the development processes.
Alex has two Master’s Degrees in Engineering and Innovation from HEC Paris. Before joining Rubic, Alex gained 15 years of great experience in IT and security engineering within big corporations like Yandex, QIWI, and Rakuten. He’s been in crypto for the last 7 years, performing private audits for DeFi companies, as well as working for the Symbiosis project.
For now, the Rubic CISO’s key purpose is to develop and implement a new InfoSec strategy.
2. Updated Information Security Strategy
Information security refers to the continuous practice of protecting digital information and systems from unauthorized access. The goal of InfoSec is to ensure the confidentiality, integrity, and availability of digital information by:
- Identification of actual threats
- Development and implementation of mitigation measures
- Confirmation of threat mitigation (by internal and independent audits)
We put a lot of effort to ensure the security of user funds throughout the entire development process as per the new InfoSec strategy. To achieve an optimal level of security, we’ve explored:
- Smart Contract Logic
- Smart Contract Management Models
- Server Infrastructure
3. Rubic’s New Contracts
After the above-mentioned research was carried out, Rubic’s development team, along with the CISO, took all appropriate actions to improve the security levels of Rubic’s contracts.
First and foremost, we’ve changed the contract architecture to make user funds fully secure and invulnerable.
As a result, we secured all smart contract management interfaces with multisig using Gnosis Safe. Thus, multiple signatures or approvals are required before a critical transaction can be executed. For example, 3 of 6 private keys are now requested to be used to sign and broadcast a transaction. This means that an attacker needs to gain access to at least 3 private keys.
Also, we’ve enhanced the security of the production (with frontend and APIs) servers by setting two-factor authentication (OTP + SSHKey). To boost our monitoring system, we’ve also configured Audits and launched alerts for suspicious behavior.
The new contracts are being launched on the 3rd of April. Audits have been completed, and all potential threats that were detected are now fixed.
Since transactions are now implemented through Rubic’s contracts, we’ve switched Rubic’s fees back on. Currently, our platform charges $2 for every cross-chain swap and $1 for on-chain ones.
Rubic’s New Contracts Audit Report:
Rubic’s latest audit was performed by the MixBytes company. All vulnerabilities discovered during the audit are classified based on their potential severity:
During the audit process, 2 critical, 2 medium and 1 low severity findings were found and confirmed by the developers. After the revision performed by the developers, 2 critical and 1 medium findings were fixed, 1 medium (medium.2) was demoted to low severity, and low severity findings were acknowledged. The demoted and remaining findings have low severity and do not affect the overall security of the project.
You can read the detailed report here:
4. Bug Bounty
Rubic aims to operate as a secure, sustainable Cross-Chain Tech Aggregator that anyone can rely on to exchange and move cryptocurrencies across chains. In the interest of further security improvement, soon we are launching the Rubic Bug Bounty Program with Immunefy (link will start working after the launch).
Rubic strongly believes in the value of security professionals’ and developers’ assistance in keeping our products and users safe. Thus, Rubic is establishing and encouraging coordinated vulnerability disclosure via our Bug Bounty Program.
The program is focused on our smart contracts, with a primary interest in the prevention of user fund loss and the provision of protocol stability.
We encourage anyone interested to review the code and find bugs or vulnerabilities which bad actors could exploit. The only eligible level is Critical, we will specify the award amount later together with the start of the program.
We look forward to anyone engaging with us to improve the protocol and build the best Cross-Chain Tech Aggregator in the industry.