Axelar engaged Ackee Blockchain to review and audit their Cross-Chain Gateway Protocol between January 31 and February 16, 2022. The entire audit process was conducted with a total time commitment of 9 engineering days. We now publish a summary of our results.

Methodology

We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity analysis tools and Slither.

In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts locally and try to attack and break the system.

Scope 

We audited commit c6f8c7c of the axelarnetwork/axelar-cgp-solidity repository.

During the security review, we paid particular attention to:

  • checking if nobody can breach the protocol;
  • checking the correctness of the upgradeability implementation;
  • checking possible pitfalls with upgrade from v1.0.0 (e5e74b1) to v2.0.0 (c6f8c7c);
  • ensuring access controls are not too relaxed;
  • looking for common issues such as data validation.

Findings

Here we present our findings.

Critical severity 

No critical severity issues were found.

High severity 

H1: Insufficient data validation in the upgrade function

H2: Unchecked transfer for external tokens

Medium severity

M1: _containsDuplicates function can be optimized

Low severity

L1: ERC20 is missing basic arithmetic checks

Warning severity

W1: Usage of solc optimizer

W2: Floating pragma

W3: Transaction replay

W4: Pitfalls of upgradeability

Informational severity 

I1: Integer underflow if the owner epoch is 0

Conclusion

Our review resulted in 9 findings ranging from Informational to High severity.

Generally, we can state that the code quality is very good. Tests are well written, the project repository on GitHub follows good engineering principles, and the team always responded quickly. 

However, the project is quite complex to audit because of the upgradeability pattern (Eternal Storage) and present low-level calls. The complexity can be a potential source of bugs in future development, so we recommend keeping the project audited between upgrades.

After the audit, we recommended Axelar to: 

  • address all reported issues; 
  • create documentation. 

Update: Between February 21 and 23, 2022, a re-audit was performed to check fixes of the reported issues. Axelar did not address some findings (L1, W1, W3, I1) as they found them not concerning/applicable. Apart from fixing the H1 issue, we consider the fixes well performed. W4 was left untouched, thus there is still a risk of a protocol breach (in the context of Upgradeability).

 

Ackee Blockchain’s full Cross-Chain Gateway Protocol audit report with a more detailed description of all findings and recommendations can be found here.

 

Follow-up audit I

Axelar commissioned our team to perform a follow-up audit of their CGP between March 22 and 31, 2022. The entire audit process was conducted with a total time commitment of 10 engineering days.

Scope 

We audited commit 838de95e41 of the axelarnetwork/axelar-cgp-solidity repository.

During the security review, we paid particular attention to the following questions:

  • Is the correctness of the contract ensured?
  • Do the contracts correctly use dependencies or other contracts they rely on, such as OpenZeppelin dependencies?
  • Are access controls not too relaxed or too strict?
  • Are the upgradeable contracts subject to common upgradeability pitfalls?
  • Is the code vulnerable to re-entrancy attacks through ERC777-style contracts or maliciously supplied user input?

Findings

Here we present our findings.

Critical severity 

No critical severity issues were found.

High severity 

H1: AxelarGatewayMultisig .transferOperatorship emits an event with an incorrect value

Medium severity

M1: Pitfalls of upgradeability

M2: abi.encodePacked contains dynamic-length data

M3: Several external calls lack existence checks

M4: _execute functions set command as executed even before it gets executed

M5: Commands that failed can be re-run

M6: Usage of solc optimizer

Low severity

No low severity issues were found.

Warning severity 

W1: AxelarGatewayMultisig ignores epoch 0

W2: Cannot use multiple tokens with same symbol

Informational severity 

I1: Many operations don’t emit events

Conclusion

Our review resulted in 10 findings ranging from Informational to High severity.

The most severe one was that an observer could make incorrect decisions since an event logs incorrect values (H1).

We recommended Axelar to:

  • correct the incorrect event emission;
  • revise the upgradeability mechanism (M1);
  • pay special attention to edge cases such as string collision in abi.encodePacke (M2);
  • address all other reported issues.

Update: On April 7, 2022, StakerDAO provided an updated codebase that addresses the reported issues.

Specifically, we reviewed tag v3.1.0 with commit 4067ed6c8f. Compared to the scope commit, this tag set out to tackle the following problems: H1; M2; not possible to freeze external ERC20 tokens.

We found that the commits successfully address two of the reported issues, introduce no vulnerabilities, and also successfully address the third issue. We recommend Axelar to address all other reported issues.

 

Ackee Blockchain’s full Cross-Chain Gateway Protocol follow-up audit report with a more detailed description of all findings and recommendations can be found here.

 

Follow-up audit II

Axelar engaged our team to conduct a further follow-up audit of their CGP between May 10 and 13, 2022. The entire audit process was conducted with a total time commitment of 3 engineering days.

Scope 

Initially, three engineering days were allocated to audit the new protocol changes between versions v3.1.1 and v3.2.2, particularly the gas optimizations and the new GasReceiver feature. However, in the middle of the audit, Axelar changed the scope to validate the new AxelarDepositService feature. After we provided quick feedback on the new feature, Axelar sent us a new commit addressing our findings.

Therefore this audit was conducted on three different commits over three days, and as a result, we present only a draft report of our findings.

We worked on the following commits:

  • protocol v3.2.2: 6c895ff,
  • GasReceiver feature before feedback: 5d95c55,
  • GasReceiver feature after feedback: 6a8bdd5.

Findings

Here we present our findings.

Critical severity 

No critical severity issues were found.

High severity 

No high severity issues were found.

Medium severity

M1: Upgradeability

M2: External calls lack existance checks

M3: Token symbol and address decoupling

M4: Token symbol length validation

Low severity

No low severity issues were found.

Warning severity 

W1: Usage of solc optimizer

W2: Misleading error

W3: Event data validation

Informational severity 

No informational severity issues were found.

Conclusion

Our review resulted in 7 findings ranging from Warning to Medium severity.

As mentioned above, we present only a draft report of our findings. With this approach, we tried to maximize our support for Axelar during a turbulent market period.

 

Ackee Blockchain’s Cross-Chain Gateway Protocol draft report with a more detailed description of all findings and recommendations can be found here.

 

We were delighted to audit Axelar and look forward to working with them again.