{"id":1050,"date":"2025-06-03T11:56:48","date_gmt":"2025-06-03T09:56:48","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1050"},"modified":"2025-06-03T11:56:48","modified_gmt":"2025-06-03T09:56:48","slug":"unstoppable-domains-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/unstoppable-domains-audit-summary\/","title":{"rendered":"Unstoppable Domains Audit Summary"},"content":{"rendered":"<p class=\"p1\">The Unstoppable Domains protocol allows the creation and management of domains on the Solana blockchain. These can be top-level domains, and can also have second-level domains. Second-level domains are in the form of non-fungible tokens (NFTs) minted to the users. Only one domain name can be in circulation.<\/p>\n<p class=\"p1\">Unstoppable Domains engaged Ackee Blockchain Security to perform a security review of Web3 Domains with a total time donation of 13 engineering days in a period between April 1 and April 10, 2025.<\/p>\n<p>A second, fix review was then performed on April 24 2025.<\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p class=\"p1\">We began our review by understanding the protocol\u2019s design and architecture. During this initial phase, we gathered all available information, including documentation, web page functionality, and project intentions.<\/p>\n<p class=\"p1\">In the second phase, we performed a manual review and wrote fuzz tests side by side. This process helped us better understand the project\u2019s source code while implementing the fuzz tests. During the manual review, we dove deeper into the functionality of the code, simultaneously writing proof-of-concept tests to support our thoughts and test the correctness of instructions.<\/p>\n<p class=\"p1\">During this phase we paid special attention whether:<\/p>\n<ul>\n<li class=\"p1\">the program logic is implemented as intended;<\/li>\n<li class=\"p1\">all Program Derived Addresses are correctly derived;<\/li>\n<li class=\"p1\">there are no possible access violations;<\/li>\n<li class=\"p1\">the protocol behaves fairly;<\/li>\n<li class=\"p1\">the Cross-Program Invocation is implemented correctly;<\/li>\n<li class=\"p1\">the Token-2022 Transfer Hook follows the standard;<\/li>\n<li class=\"p1\">the architecture fits together; and<\/li>\n<li class=\"p1\">there are no places where the protocol could be misused.<\/li>\n<\/ul>\n<p class=\"p1\">The final stage consisted of writing invariant checks. For fuzz testing, we used the <a href=\"https:\/\/usetrident.xyz\"><span class=\"s2\">Trident<\/span><\/a> fuzzing framework. The framework is designed for fuzz testing Solana programs written using the Anchor framework. During fuzzing, we identified the <span class=\"s2\">L1 issue<\/span>, where the refund recipient in some of the instructions lacks writable privileges, resulting in situations where instruction execution becomes problematic.<\/p>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p>The first audit was performed on commit <code class=\"codehl\">ab4cecd<\/code> and the scope was the following:<\/p>\n<ul>\n<li class=\"p2\">Unstoppable Domains Solana Contract<span class=\"s4\">, excluding external dependencies<\/span><\/li>\n<\/ul>\n<p class=\"p1\">The fix review was performed on commit <code class=\"codehl\">844296e<\/code>.<\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The classification of a security finding is determined by two ratings: <\/span><b>impact<\/b><span style=\"font-weight: 400;\"> and <\/span><b>likelihood<\/b><span style=\"font-weight: 400;\">. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span><i><span style=\"font-weight: 400;\">medium<\/span><\/i><span style=\"font-weight: 400;\"> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the <em>W<\/em><\/span><i><span style=\"font-weight: 400;\">arning<\/span><\/i><span style=\"font-weight: 400;\"> or <em>I<\/em><\/span><i><span style=\"font-weight: 400;\">nformational<\/span><\/i><span style=\"font-weight: 400;\"> severity ratings.<\/span><\/p>\n<p class=\"p1\">Our review resulted in 9 findings, ranging from Info to Low severity. The most severe finding <span class=\"s1\">L1<\/span> reveals the possibility of instruction failure due to improper refund recipient writable privileges. All issues have been either fixed or acknowledged by the client.<\/p>\n<p>The second security review was limited to issues found in the first security review and no other code changes were audited.<\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p>L1: Insufficient mutability for refund recipient<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p>W1: Second-level domain can be blocked forever<\/p>\n<p class=\"p1\">W2: Possibility of losing <code class=\"codehl\">ProgramAuthority<\/code> access<\/p>\n<p class=\"p1\">W3: Expiration does not sufficiently limit the second-level domain updates<\/p>\n<p class=\"p1\">W4: Record values are not fully overwritten<\/p>\n<p class=\"p1\">W5: Insufficient top-level domain validation<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">Informational severity<\/span><\/h3>\n<p class=\"p1\">I1: Unnecessary space allocation for the <code class=\"codehl\">Tld<\/code> account<\/p>\n<p class=\"p1\">I2: Unnecessary source code<\/p>\n<p class=\"p1\">I3: InitSpace macro can be used instead of literal values<\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">TRUST MODEL<\/span><\/h2>\n<p class=\"p2\">The protocol implements, to some extent, a Role-based Access Control (RBAC) mechanism. The roles are:<\/p>\n<ul>\n<li class=\"p2\"><span class=\"s1\"><code class=\"codehl\">program authority<\/code><\/span> \u2013 apart from the smart contract upgrade authority, this is a role with the highest privileges (e.g. appointing new minters);<\/li>\n<li class=\"p2\"><span class=\"s1\"><code class=\"codehl\">minter<\/code><\/span> \u2013 a role with the ability to mint new second-level domains, update domain metadata, modify the domain expiration, add and remove record before minting a domain.<\/li>\n<\/ul>\n<p class=\"p2\">User must trust:<\/p>\n<ul>\n<li class=\"p2\"><span class=\"s1\"><code class=\"codehl\">program authority<\/code> <\/span>to appoint responsible minters.<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p class=\"p1\">Ackee Blockchain Security recommends Unstoppable Domains to:<\/p>\n<ul>\n<li class=\"p1\">resolve all identified issues;<\/li>\n<li class=\"p1\">improve validation of the top-level domain; and<\/li>\n<li class=\"p1\">reconsider the architecture behind the second-level domain expiration.<\/li>\n<\/ul>\n<p><b><a href=\"https:\/\/ackee.xyz\">Ackee Blockchain Security<\/a>\u2019s full Unstoppable Domains audit report can be found <a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-audit-reports\/blob\/master\/2025\/ackee-blockchain-unstoppable-domains-web3-domains-report.pdf\">here<\/a><\/b><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Unstoppable Domains and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Unstoppable Domains protocol allows the creation and management of domains on the Solana blockchain. These can be top-level domains, and can also have second-level domains. Second-level domains are in the form of non-fungible tokens (NFTs) minted to the users. Only one domain name can be in circulation. Unstoppable Domains engaged Ackee Blockchain Security to perform a security review of Web3 Domains&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5,113],"tags":[21,89,6,151],"class_list":["post-1050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","category-trident","tag-audit","tag-audit-summary","tag-solana","tag-unstoppable-domains"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/unstoppable-blog-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/unstoppable-blog-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1050","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1050"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1050\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1051"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}