In 2021, Ackee Blockchain and 1inch agreed on long-term cooperation, and we, Ackee Blockchain, became partners to audit the future developments of 1Inch.

1Inch needs no introduction as it is one of the well-known protocols in the cryptocurrency ecosystem, but we will explain what 1inch is and how it works for this blog post.

The 1inch Network is a DEX and DeFi aggregator protocol across multiple chains. At the time of writing this  blog post, 1Inch support these blockchains: Ethereum, BSC, Polygon, Optimism, Arbitrum, Gnosis chain, and Avalanche 

1inch follows the best security standards as five auditing companies first audit each new feature/protocol enhancement before the release. All findings discovered by Ackee Blockchain were found on non-production code.

 

So, how does 1inch work?

There are currently 3 protocols operating in the 1inch network: Aggregation Protocol, Liquidity Protocol, and Limit order Protocol.

Aggregation Protocol:

Aggregation Protocol provides cost-efficient swap transactions across multiple liquidity sources while offering users competitive rates.1inch incorporates the pathfinder algorithm, which finds the best paths among different markets on supported blockchains

a Routing example

Liquidity Protocol:

Liquidity Protocol allows users to earn passive income on their crypto assets by depositing them in 1inch liquidity pools. The cryptocurrencies held in liquidity pools can then be used as the opposite side of transactions by traders who place trades using the 1inch decentralized exchange. In return, liquidity providers earn ‘LP tokens,’ which can be staked or exchanged for other cryptocurrencies.

Limit Order Protocol:

1inch limit order protocol is a set of smart contracts that can work on any EVM blockchain. Key features of the protocol are flexibility and high gas efficiency that is achieved by using two different order types – regular Limit Order and RFQ Order.

 

A summary of the audits and their findings follows up. 

In this blog post, we’ll mention information about the following 1inch audits:

  • 1inch Farming Audit 
  • 1inch Cumulative Merkle drop Audit
  • 1inch Fixed Rate Swap Audit 

First, let’s dive into 1inch Farming Audit and 1inch Cumulative Merkle drop audit.

1Inch Farming Audit was performed between 27.01.2022 and 09.02.202 by The Ackee Blockchain Security. Our security team found 2 low severity issues that were fixed by 1inch’s development team.

1inch Cumulative Merkle drop Audit was performed between 07.09.2021 and 10.09.2021 by The Ackee Blockchain Security. Our security team also found 2 low severity issues that were fixed by 1inch’s development team.

Now let’s dive into a publicly accessible report – 1inch Fixed Rate Swap Audit. The whole audit process consisted of an audit and two re-audits. Between 09.08.2021 and 22.08.2021, The Ackee Blockchain Security Team successfully performed the audit of Fixed Rate Swap. The re-audit was completed on 18.11.2021, and the second re-audit was completed on 02.12.2021

FixedRateSwap is an AMM (Automated Market Maker) that provides liquidity for swaps with 1:1 rate and variable fees.

We aim for a gradual and diligent approach to auditing 1inch, and therefore our audit methodology consists of:

 

  1. Technical specification/documentation – a brief overview of the system is requested from the client, and the scope of the audit is defined.
  2. Tool-based analysis – a basic check with automated Solidity analysis tools MythX and Slither is performed.
  3. Math validation – mathematical calculations in the code are manually validated if results behave as defined.
  4. Manual code review – the code is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.
  5. Local deployment + hacking – the contracts are deployed locally, and we try to attack the system and break it.
  6. Unit testing and fuzzy testing – additional unit tests are written in the Brownie testing framework to ensure that the system works as expected. Fuzzy testing is performed by Echidna.

In the beginning, we’ve defined the following main objectives of the audit at the start of the auditing process.

  • Check the code quality, architecture, and best practices.
  • We should re-check if mathematical algorithms are working as described, so there is no possibility of losing the funds due to mathematical errors. 
  • Also, it’s important to ensure that nobody unauthorized can steal the funds held by the contract. 
  • Since the contract doesn’t use a proxy upgrade pattern, we also need to focus on potential denial of service attacks.

What were our findings?

The overall quality of code was good, and the architecture was well designed to avoid code duplicity. Using our toolset, manual code review, unit testing, and fuzzy testing, we’ve identified 2 low severity issues, 2 medium severity issues, and 1 high severity issue.

High severity issues are security vulnerabilities, which require specific steps and conditions to be exploited, or bugs that make a system unusable or unreliable. These issues had to be fixed.

The 1inch’s responsibly took several weeks to resolve the audit findings based on our audit report. As we mentioned above, we agreed on two re-audits. The first re-audit was completed on 18.11.2021. We went through the code diff in the re-audit, analyzed all changes, and audited them. The 1inch’s team correctly fixed all low and severity issues discovered in the audit, and a new feature of the 1inch network invalided the high severity issue. 

After the first re-audit, we were asked to re-validate the fixed code along with the newly implemented code in the first re-audit

The second re-audit was completed on 02.12.2021, and we have discovered just one new minor issue

We are delighted to audit the 1inch network – DeFi / DEX multichain aggregator. And we look forward to furthering cooperation.

The Fixed Rate Wrap audit by Ackee Blockchain can be found here: 1inch Fixed Rate Swap/AckeeBlockchain – audit.