Prime Protocol allows users to deposit assets on any supported chain and receive another asset loan backed by their entire portfolio of assets. The scope for this audit was Wormhole route that is used for message passing in the protocol.
Prime engaged Ackee Blockchain to perform a security review of the Wormhole route of the Prime protocol with a total time donation of 5 engineering days in a period between January 9 and January 13, 2023.
We began our review by using static analysis tools, namely Woke. We then took a deep dive into the logic of the contracts and used Woke testing framework for cross-chain testing. During the review, we paid special attention to:
- checking if chain IDs are correctly translated during cross-chain calls
- ensuring the messages can not be replayed maliciously
- detecting possible reentrancies in the code
- ensuring access controls are not too relaxed or too strict
- looking for common issues such as data validation.
The audit has been performed on the commit
5942f84 and the exact scope was the following files:
Here we present our findings.
No critical severity issues were found.
No high severity issues were found.
M1: Unlimited allowance
M2: Downcasting overflow
M3: Insufficient data validation
No low severity issues were found.
W1: Admin functions data validation
W2: Replay attack protection
W3: Usage of solc optimizer
I1: Missing NatSpec documentation
I2: Too much similar function names
I3: The changeAdmin function should emit an event
Our review resulted in 6 findings, ranging from Info to Warning severity.
We recommend Prime to:
- create a NatSpec documentation for easier reviews
- address all other reported issues.
Ackee Blockchain’s full Prime audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Prime and look forward to working with them again with them.