Welcome back to RWG: Behind the Scenes! As we conclude Season 2, we’re excited to share an in-depth look at the goals we set, the projects we undertook, and the success metrics we aimed to achieve over the past six months. As a reminder, we compile all directives and accomplishments in the Risk Working Group Digest, our dedicated website that serves as a comprehensive archive of our work.
Below, we’ll assess each goal, project, and success metric as outlined in our original Season 2 proposal. We’ll provide specific examples from our completed tasks to illustrate our achievements. So, buckle up—this is going to be an informative and detailed exploration of our work over the past half-year. You can revisit the RWG Season 2 proposal here for reference.
WG Goals
Enhance Existing Frameworks
Our goal was to continuously improve our existing risk management frameworks to cover more use cases and adapt to evolving market conditions and emerging risks. During Season 2, we made progress in this area. We undertook the redesign of the LP Snapshot sheets and Parameter Models, improving data collection processes and revising liquidation scenarios to include factors like gas costs in simulating profit margins. While we have not yet transitioned away from Google Sheets to a more sophisticated platform, this intended overhaul—which will allow for real-time updates—is planned for Season 3.
Develop New Frameworks
To address emerging risks and challenges in managing Inverse’s suite of products, we set out to develop new risk management frameworks during Season 2. While we began exploring a standalone “Gauge Health” framework centered around protocol ownership and bribe mechanisms, we have so far integrated this analysis into our existing Risk Observer Checklist framework. Apart from this, no other new risk frameworks were created by the RWG during Season 2.
Conduct Comprehensive Risk Assessments
Regularly assessing existing and prospective FiRM markets is a crucial function of our working group. We conducted 10 thorough risk assessments that led to new markets such as LP collaterals DOLA/FRAXpyUSD LP, DOLA/crvUSD LP, and DOLA/FRAXBP, as well as sFRAX, sUSDe, COMP, cbBTC, and PT-sUSDe-MAR2025. We also produced revised studies for CRV, cvxCRV, and st-yCRV which led to the unpausing of these markets after reassessing their safety. These assessments involve thorough analysis of the assets’ risk profiles, including studies into liquidity, oracles, liquidations, escrows, contract ownership, upgradability, immutability, audits, and the underlying protocol’s operational structure, transparency, and centralization risks.
Drive Security-Related Cooperation
Fostering collaboration among working groups and with third-party auditors and security consultants was a key goal. We revived the Chainalysis Proactive CIR initiative (now operated by ZeroShadow) which was first explored in Fall 2023, aiming to adopt their incident response plan for the protocol. We held calls with security vendors such as Hypernative, ZeroShadow and Forta to explore advanced threat detection and automated response solutions. We set up calls with UMA for OVAL integration into FiRM. Additionally, we updated our Bug Bounty Program, successfully petitioning the DAO to support increasing its max bounty size by 40,000 DOLA, and continued to engage with the ImmuneFi team to enhance program effectiveness. Recently, we held a call with ImmuneFi to discuss improving the quality of submissions and addressing challenges like low-quality reports.
Review Operational Processes
We continue to routinely review and aim to improve operational processes within Inverse Finance to ensure our procedures remain aligned with best practices and industry standards. A tool in aiding this effort is the Risk Observer Checklist, a weekly RWG deliverable which, amongst other things, helps keep our Bug Bounty Scope List up-to-date. In September, we provided the PWG with detailed constructive feedback in the form of a document on our in-house smart contract review process. Upcoming, we are working on revamping the Multisig Herder Handbook, a document which serves to clarify roles and responsibilities and expedite actions within our SecOps team.
Facilitate Governance Participation
We set out to improve engagement in the Inverse Finance governance forum during Season 2. While we aimed to improve engagement, we fell short in consistently and publicly providing input on proposed strategies and policy changes. We encouraged discourse on Discord for the 19 proposals we authored during Season 2, but often with limited effect. Our forum posts have been viewed 2,164 with 6 replies compared to 5,330 views and 29 replies during Season 1. Overall, there is little to indicate that governance participation has improved in the last six months.
Author Risk-Centric Content
In May, we shared our methodologies and insights through the “LP Analysis and Daily Borrow Limit” Behind the Scenes post. However, aside from occasional blog posts, we did not continue producing informative content to raise awareness of our risk management practices.
Maintain an Updated Library of Directives
Throughout the season, we regularly updated the Risk Observer Checklist, with weekly and end-of-month reports shared internally. We also recently updated the Risk Working Group Digest, our dedicated website, adding new sections like “Frameworks”, “Season Recaps” and expanding the “SecOps” page to share our vision and detailed explanations of our models and security operations.
Projects
Modernize Frameworks
While we optimized data collection processes and improved the accuracy and efficiency of our models, we did not move to more advanced platforms for hosting frameworks as planned. Modernizing our frameworks to allow for real-time updates remains a goal for the RWG in Season 3.
Revamp Risk Observer Checklist
We added a Gauge Section to the checklist, providing insights into gauge health and liquidity incentives, and generally refined the report, keeping conciseness and ease of readability in mind. Additionally, we created an end-of-month report that presents data collected during the month in a clear and concise manner. This monthly summary not only eases our data analysis by highlighting key metrics and trends over longer periods but also enhances our ability to make informed decisions based on comprehensive insights. Most importantly, although we set out to explore ways to utilize APIs and integrate real-time data sources to create a dynamic and comprehensive reporting system, we have not yet achieved this goal. This revamp, which will make our weekly and monthly reports more informative and accessible to team members, is intended to facilitate faster response times and enhance our proactive risk management, and will be pursued during Season 3.
Reinforce Technical Reporting
We strengthened the technical reporting aspect of our collateral onboarding process. Using tools like Tenderly and Inverse Watch, we conducted simulations to test market parameters and contracts before launch. These simulations helped us determine optimal liquidation factors and adjust parameters to maintain market stability. Our technical portion of risk assessments now include detailed analysis of smart contract interactions and potential vulnerabilities.
Introduce Circuit Breakers
We explored the possibility of configuring circuit breakers into our forthcoming FiRMv2 to allow critical actions to be executed swiftly during emergencies, hosting intro calls with security vendors and presenting findings to core contributors. These efforts aim to enable us to pause markets or halt operations automatically in response to detected threats, minimizing potential damage during security incidents. While there hasn’t been anything formalized yet, core contributors are better informed on the topic as a result of our efforts.
Enhance LP Analysis
In order to more accurately measure liquidity stickiness and decentralization, we undertook the task of including sources beyond Convex in our studied collateral’s LP Snapshot. This allowed us to more accurately analyze the impact of major LPs exiting the market and thus make more confident recommendations related to the daily borrow limit framework and overall collateral assessments. For instance, we assessed how the departure of a significant LP could affect liquidity and adjusted borrow limits accordingly to mitigate risks.
Develop Gauge Analysis
We explored methods for evaluating gauge health. In May, we added a gauge section to the Risk Observer Checklist. This was aimed at enhancing our risk assessment capabilities by incorporating the stability of liquidity incentives into our frameworks. By understanding gauge dynamics, we could better predict changes in liquidity and adjust our strategies to maintain market health. On that note, developing a framework centered around gauge health was considered, utilizing factors like protocol ownership, founder-owned weights, external incentives, and historical data. This might be formalized into a standalone framework in Season 3.
Conduct Fire Drills
We enhanced our incident response protocol by updating documentation and plan to conduct simulations during Season 3. While we are waitlisted for Security Alliance’s “SEAL War Games”, we continue to develop our network of alerts through Inverse Watch, our in-house monitoring platform. Most recently, we refined our custom alerts on oracle variance.
Initiate Cross-Protocol Risk Collaboration
We aimed to collaborate with other DeFi protocols to share insights and best practices. Although this initiative was deprioritized, we utilized resources authored and made available by other risk teams such as LlamaRisk, BA Labs, and Chaos Labs. Regarding fostering relationships that enhance our overall security posture, the recently DAO-approved Liquidator Grant Program aims to establish communications with MEV actors to understand their influence on the ecosystem and explore onboarding them onto FiRM.
Success Metrics
Number of Identified Risks and Their Severity
While the vast majority of risks get identified before contract deployment, throughout Season 2, we diligently identified numerous emerging risks through data compiled for the weekly Risk Observer Checklist, which led to the RWG calling upon it’s guardian role to pause FiRM’s COMP (since unpaused) and INV markets. Similarly, the sunsetting of the cvxFXS market was carried out upon the recommendation and guidance of the RWG, and was done so in steps/gradually to not too harshly affect existing users of the market.
Number and Severity of Security Incidents
We are proud to report that zero security incidents occurred during Season 2. Proactive SecOps measures—including our smart contract review process, regular third-party audits, and the bug bounty program—as well as efforts undertaken by the RWG, such as producing the weekly Risk Observer Checklist and maintaining our alert system in close collaboration with the AWG, have proven effective in maintaining the integrity and security of the protocol.
Increase in Percentage of Audited vs. Deployed Smart Contracts
Although no public audits were conducted on smart contracts deployed during Season 2, the PWG continued to carry out our smart contract review process, periodically engaging with third-party auditors privately for selective contract reviews. We have maintained relationships with leading auditing firms, contest platforms, and solo auditors, staying current with their latest rates and offerings. By following through with our smart contract review process, we have increased the percentage of audited code relative to deployed contracts, strengthening our security posture.
Increase in Bug Bounty Program Engagement
Our efforts led to higher engagement from security researchers. By increasing the bounty size and maintaining an updated program contract scope list, we received numerous submissions, improving the scrutiny of our codebase. In May, we added 10,000 DOLA to the bug bounty program and tweeted about the payout increase to raise awareness. We did the same in October when we added an additional 30,000 DOLA. We have held calls with the ImmuneFi team, and continue to explore ways to enhance the program’s effectiveness in attracting more skilled researchers while also addressing challenges like low-quality submissions.
Looking Forward
As we conclude Season 2, the RWG is energized and ready to tackle the challenges of Season 3 if confirmed by the DAO. Our focus will be on continuous improvement of our frameworks and methodologies to stay ahead in the ever-evolving DeFi landscape. We plan to integrate advanced security measures, champion automating security processes, and enhance incident response capabilities. We will continue to produce educational content and maintain transparency to empower our community and foster trust. Strengthening collaborations, both within Inverse Finance and with other DeFi protocols, remains a priority as we aim to enhance the overall security posture of the ecosystem.
We are committed to proactive risk management, effective collaboration, and safeguarding the Inverse Finance ecosystem. With the foundations laid in Seasons 1 and 2, we are well-prepared to navigate the opportunities and challenges that lie ahead.