Axelar engaged Ackee Blockchain to review and audit the Crosschain-Dex (private repository) between May 31 and June 3, 2022. The entire audit process was conducted with a total time commitment of 4 engineering days. We now publish a summary of our results.
We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity analysis tools and Slither.
In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts locally and try to attack and break the system.
We started with the commit 5739e73bcfa469c2822c59b76d73ffb1cbf213c5 of the Crosschain-Dex repository, but during the audit the code was changed slightly to improve readability, so the final commit was faedfd700ccc0c004cd204059c68d88e109cf4ee.
Here we present our findings.
No critical severity issues were found.
H1: Unhandled return value
No medium severity issues were found.
L1: Payload manipulation
L2: Unchecked transfer
W1: Code duplication
W2: Renounce ownership
W3: Missing unit tests
W4: External mint function
I1: Commented out code
I2: State variable access
I3: Missing code documentation
Our review resulted in 10 findings ranging from Informational to High severity.
Generally, we can state that the code quality is good and smart contracts are easy to read. One of the biggest concerns we identified is the lack of unit tests, which should be essential for every development.
Our conclusions regarding the Crosschain-Dex project:
- missing unit tests
- potentially dangerous low-level calls and assembly code
- code quality is good but duplications should be removed
- documentation provided is sufficient for audit
- code documentation is missing
After the audit, we recommended Axelar to:
- address all reported issues.
Update: On June 7, 2022, Axelar provided an updated codebase that addresses the reported issues. All findings were acknowledged and some of them (H1, L2, W1, W2) were fixed.
Ackee Blockchain’s full Crosschain-Dex audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Axelar and look forward to working with them again.