Prime Protocol allows users to deposit assets on any supported chain and receive another asset loan backed by their entire portfolio of assets. The scope for this audit was Wormhole route that is used for message passing in the protocol.
Prime engaged Ackee Blockchain to perform a security review of the Wormhole route of the Prime protocol with a total time donation of 5 engineering days in a period between January 9 and January 13, 2023.
METHODOLOGY
We began our review by using static analysis tools, namely Woke. We then took a deep dive into the logic of the contracts and used Woke testing framework for cross-chain testing. During the review, we paid special attention to:
- checking if chain IDs are correctly translated during cross-chain calls
- ensuring the messages can not be replayed maliciously
- detecting possible reentrancies in the code
- ensuring access controls are not too relaxed or too strict
- looking for common issues such as data validation.
SCOPE
The audit has been performed on the commit 5942f84 and the exact scope was the following files:
- WormholeAdmin.sol
- WormholeEvents.sol
- WormholeModifiers.sol
- WormholeRoute.sol
- WormholeStorage.sol
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Unlimited allowance
M2: Downcasting overflow
M3: Insufficient data validation
Low severity
No low severity issues were found.
Warning severity
W1: Admin functions data validation
W2: Replay attack protection
W3: Usage of solc optimizer
Informational severity
I1: Missing NatSpec documentation
I2: Too much similar function names
I3: The changeAdmin function should emit an event
CONCLUSION
Our review resulted in 6 findings, ranging from Info to Warning severity.
We recommend Prime to:
- create a NatSpec documentation for easier reviews
- address all other reported issues.
Ackee Blockchain’s full Prime audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Prime and look forward to working with them again with them.
