Abstract

Smart Contract and Technology risk refers to potential vulnerabilities or failures within the smart contracts that underpin Endaoment’s blockchain ecosystem. These risks include, but are not limited to, code bugs, faulty logic, and exploitable attack vectors that can be used to steal funds. Such vulnerabilities can lead to exploits by malicious parties, resulting in the loss of value or assets. Additionally, this risk encompasses challenges associated with operating in a rapidly evolving technological landscape, where changes to the tech stack can impact operations. Effective management of smart contract risks is essential to maintaining the security and integrity of our blockchain operations, ensuring compliance, and upholding the trust of our stakeholders and donors.

Policy Statement

Endaoment is dedicated to protecting customer onchain assets and account data from smart contract and technological errors or bugs. We manage these risks through regular smart contract audits, technological evaluations, and rigorous assessments of our third-party partners’ security protocols. Compliance with this policy is mandatory for all employees, contractors, board members, and representatives acting on behalf of Endaoment.

Risk Management Strategy

Risk Assessment

  1. Smart Contract Inventory and Classification
    • Maintain a comprehensive inventory of all smart contracts in use, categorizing them based on their criticality, functionality, and potential impact on operations.
  2. Vulnerability Analysis
    • Identify and evaluate potential vulnerabilities within smart contracts, including code bugs, faulty logic, and exploitable attack vectors.

Risk Mitigation

  1. Regular Smart Contract Audits
    • Engage reputable third-party firms to conduct comprehensive technical audits of all smart contracts to identify and rectify vulnerabilities.
  2. Permissions and Access Controls
    • Implement rigorous permissions testing to ensure that smart contract permissions are correctly configured, preventing unauthorized access.
  3. Multisignature Wallet Use
    • Utilize multisignature wallets for all significant transactions to enhance security and reduce the risk of unauthorized access or theft.
  4. Feature Testing
    • Implement a thorough testing protocol for new features before integrating them into smart contracts to ensure their security and functionality.
  5. Bug Bounty Program
    • Establish and maintain a bug bounty program to incentivize external security researchers to identify and report vulnerabilities.

Monitoring and Reporting

  1. Continuous Monitoring of Smart Contracts
    • Employ continuous monitoring systems to oversee the performance and security of smart contracts, detecting and responding to any irregularities or suspicious activities.
  2. Incident Reporting Mechanism
    • Provide a secure and anonymous system for reporting suspected vulnerabilities, bugs, or unauthorized activities related to smart contracts.

Operational Controls

Policies and Procedures

  • Documentation
    • All smart contract risk management policies and procedures are thoroughly documented, with both internal and external-facing components where relevant.
  • Annual Review
    • Conduct an annual review of policies, updating them as necessary to reflect current best practices and technological advancements.

Specific Smart Contract Risk Controls

  1. Third Party Technical Audits
    • Engage reputable third-party firms to conduct comprehensive technical audits of smart contracts, ensuring they meet security and functionality standards.
  2. Permissions Testing
    • Conduct rigorous testing to ensure that smart contract permissions are correctly configured, preventing unauthorized access and operations.
  3. Multisignature Wallet Use
    • Utilize multisignature wallets for all significant transactions to enhance security and reduce the risk of unauthorized access or theft.
  4. Feature Testing
    • Implement a thorough testing protocol for new features before integrating them into smart contracts to ensure their security and functionality.
  5. Bug Bounty Program
    • Establish and maintain a bug bounty program to incentivize external security researchers to identify and report vulnerabilities.

Vendor Management

  • Compliance Standards
    • Implement stringent controls and regular reviews of vendor relationships to ensure compliance with Endaoment’s smart contract and technological security standards.

Segregation of Roles

  • Segregation of Duties
    • Ensure that critical smart contract procedures and systems have segregated duties to prevent any single individual from having full control over any process without oversight.
  • Approval Processes
    • Maintain segregated claim diligence and approval processes to uphold checks and balances.