Axelar network is a scalable cross-chain communication platform.
Axelar engaged Ackee Blockchain to perform a security review of the Axelar Utils and Squid Router implementation with a total time donation of 5 engineering days in a period between October 3 and October 7, 2022.
Between October 31, 2022 and November 2, 2022, Ackee Blockchain performed Revision 1.0.
METHODOLOGY
We began our review by using static analysis tools, namely Woke and Slither.
Then we implemented fuzz tests using Woke and Brownie to discover potential vulnerabilities.
We took a deep dive into the logic of the contracts. During the review, we paid special attention to:
- contracts are not susceptible to re-entrancy attacks
- users of the contracts cannot lose their funds
- helper and library functions work for all possible inputs
- input data are properly validated.
SCOPE
The audit was performed on two repositories with the following commits and files.
- Axelar Utils – 726020f
- contracts/ConstAddressDeployer.sol
- contracts/StringAddressUtils.sol
- contracts/StringBytesUtils.sol
2. A private repository – cdd406a
- packages/squidswap-contracts/contracts/RoledPausable.sol
- packages/squidswap-contracts/contracts/SquidMulticall.sol
- packages/squidswap-contracts/contracts/SquidRouterProxy.sol
- packages/squidswap-contracts/contracts/SquidRouter.sol
During Revision 1.0 Ackee Blockchain performed an audit of a private repository with the commit 06d90e8 and the following file:
- packages/squidswap-contracts/contracts/SquidFeeCollector.sol
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
H1: fundAndRunMulticall is not pausable
Medium severity
M1: Missing Call.callType validation
M2: Missing isContract check in SquidMulticall
M3: Memory address overflow in _setCallDataParameter
M4: Multicall implementation being too generic
M5: Re-entrancy in SquidRouter
M6: Missing refundRecipient validation
M7: Missing destinationChain validation
Low severity
No low severity issues were found.
Warning severity
W1: Missing validation of the 0x prefix in string addresses
W2: Use of solc optimizer
W3: Address helper functions not respecting EIP-55
W4: SquidRouter pausable can be bypassed
W5: Integrator specific fee validation
W6: Integrator specific fee cannot be zero
W7: Maximum integrator fee check can be bypassed
Informational severity
I1: Unnecessary abi.encodePacked
I2: Multiple calls to pendingPauser
I3: Bytes length accessed in a for loop condition
I4: Inconsistent for loop incrementation
I5: Address code length can be checked before a call
I6: For loop variable can be incremented in an unchecked block
I7: Missing NatSpec documentation
I8: Inconsistent behavior: Revert vs return default
CONCLUSION
Our review resulted in 20 findings, ranging from Info to High severity.
Ackee Blockchain recommends Axelar and Squid:
- to reconsider the current architecture being too generic allowing loss of user funds with improperly crafted input data
- not to rely only on the off-chain implementation and add data validation to the contracts
- to add NatSpec comments to the code
- to address all other reported issues.
Ackee Blockchain’s full Axelar and Squid audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Axelar and Squid and look forward to working with them again.
