Axelar engaged Ackee Blockchain to review and audit their Cross-Chain Gateway Protocol between January 31 and February 16, 2022. The entire audit process was conducted with a total time commitment of 9 engineering days. We now publish a summary of our results.
Methodology
We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity analysis tools and Slither.
In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts locally and try to attack and break the system.
Scope
We audited commit c6f8c7c of the axelarnetwork/axelar-cgp-solidity repository.
During the security review, we paid particular attention to:
- checking if nobody can breach the protocol;
- checking the correctness of the upgradeability implementation;
- checking possible pitfalls with upgrade from v1.0.0 (e5e74b1) to v2.0.0 (c6f8c7c);
- ensuring access controls are not too relaxed;
- looking for common issues such as data validation.
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
H1: Insufficient data validation in the upgrade function
H2: Unchecked transfer for external tokens
Medium severity
M1: _containsDuplicates function can be optimized
Low severity
L1: ERC20 is missing basic arithmetic checks
Warning severity
W1: Usage of solc optimizer
W2: Floating pragma
W3: Transaction replay
W4: Pitfalls of upgradeability
Informational severity
I1: Integer underflow if the owner epoch is 0
Conclusion
Our review resulted in 9 findings ranging from Informational to High severity.
Generally, we can state that the code quality is very good. Tests are well written, the project repository on GitHub follows good engineering principles, and the team always responded quickly.
However, the project is quite complex to audit because of the upgradeability pattern (Eternal Storage) and present low-level calls. The complexity can be a potential source of bugs in future development, so we recommend keeping the project audited between upgrades.
After the audit, we recommended Axelar to:
- address all reported issues;
- create documentation.
Update: Between February 21 and 23, 2022, a re-audit was performed to check fixes of the reported issues. Axelar did not address some findings (L1, W1, W3, I1) as they found them not concerning/applicable. Apart from fixing the H1 issue, we consider the fixes well performed. W4 was left untouched, thus there is still a risk of a protocol breach (in the context of Upgradeability).
Ackee Blockchain’s full Cross-Chain Gateway Protocol audit report with a more detailed description of all findings and recommendations can be found here.
Follow-up audit I
Axelar commissioned our team to perform a follow-up audit of their CGP between March 22 and 31, 2022. The entire audit process was conducted with a total time commitment of 10 engineering days.
Scope
We audited commit 838de95e41 of the axelarnetwork/axelar-cgp-solidity repository.
During the security review, we paid particular attention to the following questions:
- Is the correctness of the contract ensured?
- Do the contracts correctly use dependencies or other contracts they rely on, such as OpenZeppelin dependencies?
- Are access controls not too relaxed or too strict?
- Are the upgradeable contracts subject to common upgradeability pitfalls?
- Is the code vulnerable to re-entrancy attacks through ERC777-style contracts or maliciously supplied user input?
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
H1: AxelarGatewayMultisig .transferOperatorship emits an event with an incorrect value
Medium severity
M1: Pitfalls of upgradeability
M2: abi.encodePacked contains dynamic-length data
M3: Several external calls lack existence checks
M4: _execute functions set command as executed even before it gets executed
M5: Commands that failed can be re-run
M6: Usage of solc optimizer
Low severity
No low severity issues were found.
Warning severity
W1: AxelarGatewayMultisig ignores epoch 0
W2: Cannot use multiple tokens with same symbol
Informational severity
I1: Many operations don’t emit events
Conclusion
Our review resulted in 10 findings ranging from Informational to High severity.
The most severe one was that an observer could make incorrect decisions since an event logs incorrect values (H1).
We recommended Axelar to:
- correct the incorrect event emission;
- revise the upgradeability mechanism (M1);
- pay special attention to edge cases such as string collision in abi.encodePacke (M2);
- address all other reported issues.
Update: On April 7, 2022, StakerDAO provided an updated codebase that addresses the reported issues.
Specifically, we reviewed tag v3.1.0 with commit 4067ed6c8f. Compared to the scope commit, this tag set out to tackle the following problems: H1; M2; not possible to freeze external ERC20 tokens.
We found that the commits successfully address two of the reported issues, introduce no vulnerabilities, and also successfully address the third issue. We recommend Axelar to address all other reported issues.
Ackee Blockchain’s full Cross-Chain Gateway Protocol follow-up audit report with a more detailed description of all findings and recommendations can be found here.
Follow-up audit II
Axelar engaged our team to conduct a further follow-up audit of their CGP between May 10 and 13, 2022. The entire audit process was conducted with a total time commitment of 3 engineering days.
Scope
Initially, three engineering days were allocated to audit the new protocol changes between versions v3.1.1 and v3.2.2, particularly the gas optimizations and the new GasReceiver feature. However, in the middle of the audit, Axelar changed the scope to validate the new AxelarDepositService feature. After we provided quick feedback on the new feature, Axelar sent us a new commit addressing our findings.
Therefore this audit was conducted on three different commits over three days, and as a result, we present only a draft report of our findings.
We worked on the following commits:
- protocol v3.2.2: 6c895ff,
- GasReceiver feature before feedback: 5d95c55,
- GasReceiver feature after feedback: 6a8bdd5.
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Upgradeability
M2: External calls lack existance checks
M3: Token symbol and address decoupling
M4: Token symbol length validation
Low severity
No low severity issues were found.
Warning severity
W1: Usage of solc optimizer
W2: Misleading error
W3: Event data validation
Informational severity
No informational severity issues were found.
Conclusion
Our review resulted in 7 findings ranging from Warning to Medium severity.
As mentioned above, we present only a draft report of our findings. With this approach, we tried to maximize our support for Axelar during a turbulent market period.
Ackee Blockchain’s Cross-Chain Gateway Protocol follow-up audit report with a more detailed description of all findings and recommendations can be found here.
Auth Contract and Deposit Service audit
Between July 18 and July 25, 2022, Axelar engaged our team to review and audit the Deposit Service and the Auth contract, which are part of the cross-chain protocol. The entire audit process was conducted with a total time commitment of 6 engineering days.
Scope
We audited commit 1cd26b3 of the axelarnetwork/axelar-cgp-solidity repository and focused on the changes proposed in the feature branch AxelarAuthWeighted and the feature branch DepositService.
During the security review, we paid particular attention to:
- validating that the proofs in the Auth contract can not be forged;
- detecting possible reentrancies in the code;
- ensuring access controls are not too relaxed or too strict;
- looking for common issues such as data validation.
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Dangerous ownership transfer
M2: Unauthorized sending of tokens
Low severity
No low severity issues were found.
Warning severity
W1: Usage of solc optimizer
W2: Stealing tokens from Deposit Proxy
W3: High privileged owner and single point of failure
W4: Pitfalls of upgradeability
Informational severity
I1: Public functions without internal calls
I2: Confusing naming of errors
Conclusion
Our review resulted in 8 findings ranging from Informational to Medium severity.
We recommended Axelar to:
- use static analysis tools like Slither;
- ensure that the privileged owner addresses correspond to robust multisigs;
- address all the reported issues.
Ackee Blockchain’s Auth Contract and Deposit Service audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Axelar and look forward to working with them again.
