CoW Flash Loan Router is an extension of the CoW Protocol that enables trade solvers to execute multiple flash loans prior to trade settlements. The system integrates with various loan providers through dedicated adapter contracts, allowing for sequential flash loan executions during the settlement process.
CoW engaged Ackee Blockchain Security to perform a security review of the CoW protocol with a total time donation of 5 engineering days in a period between March 17 and March 21, 2025. 1 additional engineering day was allocated to ensure high confidence, particularly regarding the integration of the audited code with the CoW Protocol Core.
CoW then engaged Ackee Blockchain Security to perform a review of fixes of the findings from the previous revision. No new findings were discovered.
METHODOLOGY
We began our audit with a thorough analysis of the contract logic, identifying potential attack vectors and trust model implications. We then employed static analysis tools, including Wake, to verify the absence of common issues.
During the review, we focused on ensuring:
- assembly code contains no logic errors, including memory safety violations;
- trade settlement payloads remain tamper-proof;
- reentrancy attacks are prevented;
- solvers, tokens, lenders, and borrowers cannot compromise user funds;
- compliance with the ERC-3156 standard;
- correct usage of transient storage; and
- identification of common issues and gas optimization opportunities.
SCOPE
The audit was performed on the commit 930914f.
The scope included all Solidity files in the src directory, excluding the src/vendored directory. The vendored files were reviewed only in terms of their usage in the codebase, with their implementation being out of scope.
The fix review was done on the given commit f9c1867. 3 out of 4 findings were fixed, and I2 was acknowledged to benefit from flash loan fee waiving. No new findings were discovered.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the Warning or Informational severity ratings.
Our review resulted in 4 findings, ranging from Info to Warning severity.
The code demonstrated exceptional quality, with findings primarily related to code and gas optimization improvements. The codebase features comprehensive documentation, including clear explanations of caveats and code correctness reasoning. The system trust model, expected usage, and security assumptions are thoroughly documented.
3 out of 4 findings were confirmed fixed in the fix review, and I2 was acknowledged to benefit from flash loan fee waiving. No new findings were discovered.
Critical severity
No critical severity issues were found.
High severity
No critical severity issues were found.
Medium severity
No critical severity issues were found.
Low severity
No low severity issues were found.
Warning severity
W1: Missing events
Informational severity
I1: Documentation errors
I2: Aave flash loan call optimization
I3: Missing view in interfaces
TRUST MODEL
Tokens interacted with, flash loan adapters, and flash loan providers are trusted not to disrupt the transaction execution, causing the transaction to revert. These entities are also trusted not to abuse the front-running opportunity to worsen the market conditions up to the slippage tolerance set in the trades to be settled.
CONCLUSION
Ackee Blockchain Security’s full CoW audit report can be found here.
We were very delighted to audit CoW and look forward to working with them again.
