Axelar Network is a scalable cross-chain communication platform.

Axelar engaged Ackee Blockchain to perform a security review of the Axelar Utils and Squid Router implementation with a total time donation of 5 engineering days in a period between October 3 and October 7, 2022.

Between October 31, 2022 and November 2, 2022, Ackee Blockchain performed Revision 1.0.


We began our review by using static analysis tools, namely Wake and Slither.

Then we implemented fuzz tests using Woke and Brownie to discover potential vulnerabilities. 

We took a deep dive into the logic of the contracts. During the review, we paid special attention to: 

  • contracts are not susceptible to re-entrancy attacks
  • users of the contracts cannot lose their funds
  • helper and library functions work for all possible inputs
  • input data are properly validated.


The audit was performed on two repositories with the following commits and files.

  1. Axelar Utils – 726020f 
  • contracts/ConstAddressDeployer.sol
  • contracts/StringAddressUtils.sol
  • contracts/StringBytesUtils.sol 

      2. A private repository – cdd406a

  • packages/squidswap-contracts/contracts/RoledPausable.sol
  • packages/squidswap-contracts/contracts/SquidMulticall.sol
  • packages/squidswap-contracts/contracts/SquidRouterProxy.sol
  • packages/squidswap-contracts/contracts/SquidRouter.sol

During Revision 1.0 Ackee Blockchain performed an audit of a private repository with the commit 06d90e8 and the following file:

  • packages/squidswap-contracts/contracts/SquidFeeCollector.sol


Here we present our findings.

Critical severity 

No critical severity issues were found. 

High severity 

H1: fundAndRunMulticall is not pausable

Medium severity

M1: Missing Call.callType validation

M2: Missing isContract check in SquidMulticall

M3: Memory address overflow in _setCallDataParameter

M4: Multicall implementation being too generic 

M5: Re-entrancy in SquidRouter

M6: Missing refundRecipient validation

M7: Missing destinationChain validation 

Low severity

No low severity issues were found.

Warning severity

W1: Missing validation of the 0x prefix in string addresses 

W2: Use of solc optimizer

W3: Address helper functions not respecting EIP-55

W4: SquidRouter pausable can be bypassed

W5: Integrator specific fee validation

W6: Integrator specific fee cannot be zero

W7: Maximum integrator fee check can be bypassed

Informational severity

I1: Unnecessary abi.encodePacked

I2: Multiple calls to pendingPauser

I3: Bytes length accessed in a for loop condition

I4: Inconsistent for loop incrementation

I5: Address code length can be checked before a call

I6: For loop variable can be incremented in an unchecked block

I7: Missing NatSpec documentation

I8: Inconsistent behavior: Revert vs return default


Our review resulted in 20 findings, ranging from Info to High severity. 

Ackee Blockchain recommends Axelar and Squid:

  • to reconsider the current architecture being too generic allowing loss of user funds with improperly crafted input data
  • not to rely only on the off-chain implementation and add data validation to the contracts
  • to add NatSpec comments to the code
  • to address all other reported issues.

Ackee Blockchain’s full Axelar and Squid audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Axelar and Squid and look forward to working with them again.