About deBridge Finance
deBridge is a cross-chain interoperability and liquidity transfer protocol that allows decentralized transfer of assets between various blockchains. The cross-chain intercommunication of deBridge smart contracts is powered by a network of independent oracles/validators elected by deBridge governance.
deBridge protocol is an infrastructure platform and hooking service which aims to become a standard for:
- Cross-chain composability of smart contracts
- Cross-chain swaps
- Bridging of any arbitrary asset and data
- Bridging of NFTs
To learn more about deBridge Finance, read the official documentation here.
About the audit
Ackee Blockchain and deBridge Finance agreed to perform two follow-up audits. Between October 18 and October 29, 2021, the Ackee Blockchain security team successfully completed the first audit. The time donation was 20 engineering days.
The second audit of deBridge Finance was performed between November 22 and December 3, 2021, with a time donation of 10 engineering days. Its main focus was checking whether reported issues from the first revision were correctly fixed.
At the beginning of the audit, the following main objectives were defined:
- Check the overall code quality and best practices.
- Check the functionality of the system.
- Check if nobody unauthorized is able to claim or send assets.
- Check if the discovered issues were correctly fixed and the correctness of a newly implemented logic for the change balance and keys management.
- Check if the refactored code didn’t bring any new issues.
The security review was performed by manual code review – checking the code line by line for common vulnerabilities or code duplication, and by local deployment and hacking – deploying the program locally, then trying to attack the system and break it.
Findings
Using the tools mentioned above led to the following findings:
- L1: Typos in several places in the code
- L2: Bad naming conventions
- L3: NewTypes or type aliases for primitive types
- L4: Missing or Unused code
- L5: Unused accounts
- L6: Unconstrained authority
- L7: Using of ProgramAccount struct
- L8: Add extra optimizations in Cargo.toml
- L9: Use the latest stable Rust version (1.56)
- L10: Consider more pedantic clippy rules
- M1: Use create_program_address instead of find_program_address
- M2: Using API calls instead of SysVar
- M3: Extra SEED during checking, constraint fails even the right account is used
- M4: Comparing bad PubKeys
- M5: Badly calculated rent exempt for one day
- M6: BridgeCtx::staking_wallet bad constraint
- H1: InitSendBridge computational Budget
- H2: Custom program errors in settings program
- H3: The program violates the stack size at runtime, an AccessViolation error
10 low severity, 6 medium severity, and 3 high severity issues were identified.
Revision 2
- L11: Mistakes in documentation
- L12: Ununified approach to system accounts constraint
- L13: Wrongly used range literal
- M1: Still several places where create_program_address can be used instead of find_program_address
- H4: Protocol doesn’t collected native fix fee
Revision 2 of the audit discovered 3 low severity, 1 medium severity and 1 high severity issues.
Conclusion
The code is mature in quality, with sufficient test coverage and supporting documentation. The client correctly fixed all issues discovered in Revision 1 except issue M1, which was addressed correctly but not all of its occurrences.
deBridge Finance values security as the most crucial aspect of cross-chain interoperability. We also share these values at Ackee Blockchain and are honored to have been chosen as their audit partner.
The full Ackee Blockchain audit report of deBridge Finance with a more detailed description of all findings and recommendations can be found here.
