Code Security Score

Overview

This pillar assesses the security posture of a crypto protocol by aggregating smart contract audit results, bug bounty programs, and past incident data. It provides a crucial risk score for traders looking to price in the potential for catastrophic exploits.

What It Does

The Code Security Score synthesizes multiple security-related data points into a single, comparable metric. It evaluates the quality and recency of third-party audits, measures the economic incentive for white-hat hackers through bug bounty coverage, and penalizes protocols for previous security failures. This creates a holistic view of a protocol's on-chain resilience.

Why It Matters

Smart contract risk is one of the largest and most unpredictable factors in crypto. This pillar offers a systematic way to evaluate this risk, providing a predictive edge in markets concerning protocol exploits, hacks, or significant price drops related to security fears.

How It Works

First, we collect all available audit reports, scoring them based on the auditing firm's reputation and the severity of findings. Second, we calculate the bug bounty coverage ratio by dividing the maximum payout by the protocol's Total Value Locked (TVL). Finally, we apply a penalty score based on the time and severity of any past exploits, combining these inputs into a final risk score.

Methodology

The final score is a weighted average: Score = (0.5 * AuditScore) + (0.3 * BountyScore) + (0.2 * HistoryScore). AuditScore is based on firm tier and findings. BountyScore is (MaxBounty / TVL), capped at 10%. HistoryScore starts at 100 and is reduced based on time since last incident and value lost.

Edge & Advantage

Most market participants only react to security news. This pillar provides a proactive framework to identify vulnerable protocols before an exploit occurs.

Key Indicators

• Audit Quality & Recency

  high

  Evaluates who audited the code, what they found, and how recently the audit was performed.

• Bug Bounty TVL Coverage

  high

  The ratio of the maximum bug bounty payout to the protocol's Total Value Locked, indicating the incentive to report bugs.

• Security Incident History

  medium

  A record of past exploits, hacks, or security-related losses, which can indicate recurring architectural flaws.

Data Sources

• Immunefi

  Leading platform for bug bounties in Web3, providing data on active programs and payouts.

• DeFiLlama Hacks

  A comprehensive, time-series database of publicly disclosed crypto protocol exploits and funds lost.

• Major Audit Firms

  Public audit reports from firms like Trail of Bits, OpenZeppelin, and CertiK.

Example Questions This Pillar Answers

• → Will Protocol X suffer an exploit of over $1M before the end of the year?
• → Will a critical vulnerability be publicly disclosed for Token Y's mainnet contract this quarter?
• → Will Protocol Z pause its contracts due to a security threat in the next 30 days?

Tags