E13 - NiftyApes Open Source Audit w/Kevin Seagraves & Zach Herring - 9/1/2022

I, Degen - Episode 13 - Open Source Audio Audit with Kevin Seagraves & Zach Herring from Niftyapes.money

If you have a moment, please check out episode 13 I, Degen sequence on Zeevo. Give your feedback on the show, and we'll mint you a custom token of appreciation 🙏

Listen at: idegen.fm

Contact us: @idegenfm

Intro

On this episode of I, Degen we chat with Kevin Seagraves and Zach Herring from Niftyapes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us.

Welcome to I, Degen gentleman, and thanks for taking the time to chat with us. Before we jump into the audit, can you tell us a bit about yourselves and what NiftyApes is?

Intros Kevin Seagraves & Zach Herring:

Who are we talking to?
Tell us about your background and how you built an NFT lending platform.

For KS: Can you tell us more about your work with ETHSecurity?

Hunt questions:

Intro NiftyApes:

1. What is NiftyApes?
   1. How does it work?
   2. Why did you build it?
   3. Who’s gonna use it?
   4. What is HARBERGER AUCTION?
   5. When release?

1. Let's talk about the “regen” side of Nifty Apes and the 1%? that goes to public goods. Why was it essential for you to do this?

Open Source Audit:

Security audits are expensive and rarely a priority for founders. This is especially dangerous when it comes to Defi apps and protocols, given the natural ability of an attacker to take something of value.

The idea for our Open Source Audit is to help others learn about securing a crypto project by asking some questions about how you’ve approached the security of the Niftyapes.

1. Can you give us a high overview of the tech stack? How does NiftyApes look from a zoomed-out view? What web2 components are at play, and what web3?
2. Can you talk a little bit about your overall approach to securing niftyapes?
3. How have you approached the security in your web2 interface?

KS: we only store tx receipts in DB after a tx has taken place and been confirmed, so the attack surface for us on Web2 is low.

3(b). Have you taken steps to ensure your DNS records are secure?

1. Contract audits - Can you give us an overview of your process with the contract audits?
   1. How did you find your auditors?
   2. What was the process like?
   3. What did they find?
2. You guys have gone out of your way to make security a priority for NiftyApes (from the front page):
3. Does NiftyApes have a bug bounty program? If so, how does it work?
4. Nocoiners and others have been all over a brewing problem at NFT lending platform, BendDAO. Specifically,

“The NFT lending platform BendDAO has collateralized almost 3% of the entire Bored Ape collection, and many NFTs have recently entered the “danger zone” of liquidation.”

ZW: Would this kind of thing be a potential problem on Niftyapes too?

1. Game theoretical bugs are new and emerging class of attacks in DeFi that don’t necessarily exploit bugs in code but instead bugs in the relationship between values of pools, balances, and the connected systems.