Oct 11, 2024
This is an archive of our post on Aave governance forum. Read the full thread here.
Following recent discussions with Crypto.com and signing an NDA, LlamaRisk provides additional information about cdcETH. This update clarifies previous concerns and offers a more comprehensive view of security measures and operational procedures.
Custody solution
We’ve reviewed an audit by a reputable firm (undisclosed due to NDA) confirming Crypto.com’s robust custody solutions, which is compliant with SOC2 (Service Organization Control) Type 2, a year-long process that identifies:
Security controls against unauthorized access, mitigating system abuse, theft, fraud, data removal, software misuse, and information alteration
Quick detection of anomalies and incidents by monitoring staff
Established frameworks for responding to security breaches
The SOC2 Type 2 framework’s security controls and processes have been effectively designed and implemented to protect the custody solution. Security is the core of SOC 2 compliance requirements.
Public repository
Crypto.com has made its cdcETH GitHub repository public. Key points:
Uses Circle’s Wrapped Token OS ERC20 format (like cbETH, USDC)
Identifies contract access controls and owner-changeable variables
Includes detailed contract architecture diagrams
Primary contract (FiatTokenProxy.sol) is functionally identical to other Wrapped Token OS tokens, with minor informational differences
MPC Address Custody Solution
Crypto.com uses a multistage contract interaction process, which, for security reasons, cannot be detailed. LlamaRisk reviewed the operational flow, which provides checks and balances to prevent unauthorized transactions. However, ownership of the Multi-Party Computation signer keys and adherence to these procedures cannot be independently verified. While an onchain Safe solution would be preferable, the reported efforts suggest good operational procedures.