The Reserve Protocol is the first platform that allows for the permissionless creation of asset-backed, yield-bearing & overcollateralized stablecoins on Ethereum. 

Reserve engaged Ackee Blockchain to perform a security review of the Reserve Protocol with a total time donation of 20 engineering days in a period between July 27 and August 25, 2022. 

METHODOLOGY

We began our review by using static analysis tools, namely Slither and the solc compiler. 

This resulted in some issue suspicions, which we investigated in detail. Most of these issues have been marked as false positives. We then took a deep dive into the logic of the contracts. During the review, we paid special attention to:

  • understanding of the protocol architecture
  • line-by-line code review
  • check an upgradeability implementation
  • detecting possible reentrancies in the code
  • ensuring access controls are not too relaxed or too strict
  • looking for common issues, such as data validation.

SCOPE

Three auditors have performed the audit on the public repository with the following commits and files:

Revision 1.1 was done on the given commit: 6559fcd from October 6, 2022.

FINDINGS

Here we present our findings.

Critical severity 

No critical severity issues were found. 

High severity 

No high severity issues were found. 

Medium severity

M1: Unlimited allowance 

M2: Downcasting overflow

M3: Insufficient data validation

Low severity

No low severity issues were found. 

Warning severity

W1: Code duplications

W2: Basket nonce double increment

W3: Enum to uint casting

W4: Wrong revert message

W5: Support for metatransactions

W6: Usage of solc optimizer

Informational severity

I1: Unnecessary function override

CONCLUSION

Our review resulted in 10 findings, ranging from Info to Medium severity. The three most severe (medium) issues M1: Unlimited allowance, M2: Downcasting overflow and M3: Insufficient data validation do not directly endanger the protocol in a reasonable timespan. 

During our review, we investigated some potentially severe issues, even one critical. None of the potentially severe issues was confirmed after writing an exploit script.

We recommend Reserve to: 

  • be aware of malicious token implementations
  • remove code duplications
  • address or explain all reported issues
  • add Natspec documentation.

Ackee Blockchain’s full Reserve audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Reserve and look forward to working with them again with them.