Catalyst enables direct atomic swaps between different blockchains, such as Ethereum, Cosmos, and rollups like Optimism and Eclipse — eliminating the need for bridged assets.
Catalyst’s Incentivized Message Escrow protocol serves as an abstraction layer between Arbitrary Message Bridges and the applications that use them. It allows applications to send messages across chains in a trustless manner. The protocol is designed to be chain-agnostic, meaning that it can be used with any blockchain compatible with EVM.
Catalyst engaged Ackee Blockchain to perform a security review of the changes to the Generalised Incentives protocol. The smart contracts had previously been audited with a total time donation of 10 engineering days in a period between April 15 and April 26, 2024. The previous Catalyst audit summary covers Revisions 1.0 and 1.1. This audit summary focuses on the methodology, findings, and recommendations of Revision 2.0 and 2.1.
METHODOLOGY
We began our review by using static analysis tools, namely Wake. We then took a deep dive into the logic of the contracts and used Wake testing framework for cross-chain testing.
While the total scope included several minor changes in several contracts, the main goal of the review was to verify the correctness of integrating the Incentivized Message Escrow protocol with the LayerZero AMB.
SCOPE
Revision 2.0
The audit was performed on the commit bb8c4d9 and the scope included all the changes from PR#52 up to the commit bb8c4d9
Revision 2.1
The review was done on multiple commits from several pull requests:
- The issue W11 was fixed in PR#55, commit 040e175
- The issue W12 was fixed in PR#54, commit 0d9f2ba
- The issue I4 was fixed in PR#56, commit db0c96e
Out of the 4 findings, 3 were fixed, and one was acknowledged, namely W10.
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
No low severity issues were found.
Warning severity
W10: Non-standard use of the LayerZero tech stack
W11: Incorrect SPDX license identifier
W12: Unused code
Information severity
I4: Typos
CONCLUSION
Our review resulted in 4 findings, ranging from Information to Warning severity. The potentially most impactful issue is the non-standard usage of the LayerZero stack, or W10.
Ackee Blockchain recommends Catalyst to:
- consider changing the design of the LayerZero integration to a more standard approach or contacting the LayerZero team for a review,
- fix typos in the documentation,
- remove unused code,
- address all other reported issues.
Ackee Blockchain’s full Catalyst audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Catalyst and look forward to working with them again.
