$0 USD

JUNE 2020




"Toronto-based" "Atomic Loans aims to bring decentralized finance to the bitcoin market." "Non-custodial Bitcoin-backed loans. Giving custody is not okay. Do it the Bitcoin way." "Access liquidity to pay bills and expenses for yourself and your business." "We understand how it feels to send your Bitcoin to some custodian and hope for the best. With AtomicLoans, your Bitcoin is locked via native Bitcoin scripts." "There’s no application needed to start using Bitcoin, no business hours that Bitcoin adheres to." "Get access to a Bitcoin-backed loan at any time, from anywhere, in a matter of minutes." "Atomic Loans’ decentralized platform allows borrowers and lenders to engage in peer-to-peer bitcoin-backed loans, without the need for centralized custodians."


“Bitcoin is a currency where much of its value is derived from being open, transparent, borderless, and censorship-resistant. It runs 24/7 and you never need someone’s permission to use it,” said Tony Cai, co-founder and CEO of Atomic Loans. “We want to help build a future where financial tools for bitcoin can share every single one of those characteristics as well.”


"Security is the highest priority of the Atomic Loans team." "The protocol’s contract code and balances are publicly verifiable." "Our Bitcoin scripts and Ethereum smart contracts have been reviewed and audited by Quantstamp and ConsenSys Diligence."


"The [first ConsenSys Diligence] audit team evaluated that the system is secure, resilient, and working according to its specifications." "ConsenSys Diligence [then] conducted a second security audit on the Atomic Loans smart contract system." "The audit team evaluated that the system is secure, resilient, and working according to its specifications." A "smart contract audit was [also] prepared by Quantstamp, the protocol for securing smart contracts." "Quantstamp has assessed the Atomic Loans smart contracts and Bitcoin scripts, and consider them to be well-architected and adherent to the provided specification. No critical security issues were detected during this audit, however we provide several suggestions for code improvements based on issues found during the audit."


"The Site and the Services are provided on an “as is” and “as available” basis. Use of the Site and the Services is at your own risk. To the maximum extent permitted by applicable law, the Site and the Services is provided without warranties of any kind, whether express or implied." "You acknowledge that applications are code that are subject to flaws and acknowledge that you are solely responsible for evaluating any available code provided by the Services. You further expressly acknowledge and represent that applications can be written maliciously or negligently, that we cannot be held liable for your interaction with such applications."


"[T]he Atomic Loans v1 beta was at $255,173 in stablecoin supplied, $90,290 in stablecoin borrowed, and ~23.9 BTC locked (total value locked: $485706). We also reached a total of $202,333 in total loans originated since launch."


"On Sunday, June 21st, security researcher @samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents." "Both vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances."


"A malicious borrower could’ve unlocked their BTC collateral without repaying their loan by front-running a loan cancellation transaction from the lender after the lender secret has already been revealed in the mempool." "Lender funds could have been impacted if the vulnerability had been exploited and the lender is unable to pay a high enough gas fee to ensure the loan cancellation succeeded."


"Although we had two audits done on the smart contracts, as well as an internal audit done by the team, it showed us it is still possible for these types of issues to slip through the cracks."


"Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests." "On Monday, June 23rd, we pushed an update to lender agents, effectively disallowing new loan requests."


"This vulnerability could be easily fixed by adding a withdrawExpiration to the withdraw function in the Loans contract." "We have notified the issues to both our previous auditors, ConsenSys Dilligence and Quantstamp for additional feedback. We want to do our part in helping the auditing community understand how we can better identify these types of vulnerabilities in cross-chain systems moving forward."


"Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2." "Additionally, ahead of V2 launch, we are planning on organizing a white-hat hacker event, in addition to multiple audits and implementing a bug bounty program."

Atomic Loans created a service where, rather than provide your funds to a central custodian, they could instead be provided to a hot wallet smart contract. Rather than trusting a human being, you would trust arbitrary open source code.


Despite two separate security audits, the code still had vulnerabilities. Luckily, those vulnerabilities were found by a security researcher instead of being exploited by a hacker.


While it's a valid concern to avoid placing funds in the control of a single human being, historically, there hasn't been a documented exit scam involving a known group of people and funds which were fully backed.


An alternative and greater form of security would include a multi-sig with at least one trusted human component.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.