{"id":1066,"date":"2025-07-14T18:30:09","date_gmt":"2025-07-14T16:30:09","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1066"},"modified":"2025-08-04T16:24:57","modified_gmt":"2025-08-04T14:24:57","slug":"cow-flash-loan-router-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/cow-flash-loan-router-audit-summary\/","title":{"rendered":"CoW Flash Loan Router Audit Summary"},"content":{"rendered":"<p class=\"p1\">CoW Flash Loan Router is an extension of the CoW Protocol that enables trade solvers to execute multiple flash loans prior to trade settlements. The system integrates with various loan providers through dedicated adapter contracts, allowing for sequential flash loan executions during the settlement process.<\/p>\n<p class=\"p1\">CoW engaged Ackee Blockchain Security to perform a security review of the CoW protocol with a total time donation of 5 engineering days in a period between March 17 and March 21, 2025. 1 additional engineering day was allocated to ensure high confidence, particularly regarding the integration of the audited code with the CoW Protocol Core.<\/p>\n<p>CoW then engaged Ackee Blockchain Security to perform a review of fixes of the findings from the previous revision. No new findings were discovered.<\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p>We began our audit with a thorough analysis of the contract logic, identifying potential attack vectors and trust model implications. We then employed static analysis tools, including <a href=\"https:\/\/getwake.io\">Wake<\/a>, to verify the absence of common issues.<\/p>\n<p>During the review, we focused on ensuring:<\/p>\n<ul>\n<li>assembly code contains no logic errors, including memory safety violations;<\/li>\n<li>trade settlement payloads remain tamper-proof;<\/li>\n<li>reentrancy attacks are prevented;<\/li>\n<li>solvers, tokens, lenders, and borrowers cannot compromise user funds;<\/li>\n<li>compliance with the ERC-3156 standard;<\/li>\n<li>correct usage of transient storage; and<\/li>\n<li>identification of common issues and gas optimization opportunities.<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p>The audit was performed on the commit <code class=\"codehl\">930914f<\/code>.<\/p>\n<p>The scope included all Solidity files in the src directory, excluding the <code class=\"codehl\">src\/vendored<\/code> directory. The vendored files were reviewed only in terms of their usage in the codebase, with their implementation being out of scope.<\/p>\n<p>The fix review was done on the given commit <code class=\"codehl\">f9c1867<\/code>. 3 out of 4 findings were fixed, and I2 was acknowledged to benefit from flash loan fee waiving. No new findings were discovered.<\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The classification of a security finding is determined by two ratings: <\/span><b>impact<\/b><span style=\"font-weight: 400;\"> and <\/span><b>likelihood<\/b><span style=\"font-weight: 400;\">. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span><i><span style=\"font-weight: 400;\">medium<\/span><\/i><span style=\"font-weight: 400;\"> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the <em>W<\/em><\/span><i><span style=\"font-weight: 400;\">arning<\/span><\/i><span style=\"font-weight: 400;\"> or <em>I<\/em><\/span><i><span style=\"font-weight: 400;\">nformational<\/span><\/i><span style=\"font-weight: 400;\"> severity ratings.<\/span><\/p>\n<p class=\"p1\">Our review resulted in 4 findings, ranging from Info to Warning severity.<\/p>\n<p class=\"p1\"><strong>The code demonstrated exceptional quality<\/strong>, with findings primarily related to code and gas optimization improvements. The codebase features comprehensive documentation, including clear explanations of caveats and code correctness reasoning. The system trust model, expected usage, and security assumptions are thoroughly documented.<\/p>\n<p>3 out of 4 findings were confirmed fixed in the fix review, and I2 was acknowledged to benefit from flash loan fee waiving. No new findings were discovered.<\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p>No low severity issues were found.<\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p>W1: Missing events<\/p>\n<h3><span style=\"font-weight: 400;\">Informational severity<\/span><\/h3>\n<p class=\"p1\">I1: Documentation errors<\/p>\n<p>I2: Aave flash loan call optimization<\/p>\n<p>I3: Missing view in interfaces<\/p>\n<h2><span style=\"font-weight: 400;\">TRUST MODEL<\/span><\/h2>\n<p>Tokens interacted with, flash loan adapters, and flash loan providers are trusted not to disrupt the transaction execution, causing the transaction to revert. These entities are also trusted not to abuse the front-running opportunity to worsen the market conditions up to the slippage tolerance set in the trades to be settled.<\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p><b><a href=\"https:\/\/ackee.xyz\">Ackee Blockchain Security<\/a>\u2019s full CoW audit report can be found <a href=\"https:\/\/github.com\/cowprotocol\/flash-loan-router\/blob\/main\/audit\/2025-03-26-Ackee.pdf\">here<\/a><\/b><b>.<\/b><\/p>\n<p>We were very delighted to audit CoW and look forward to working with them again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CoW Flash Loan Router is an extension of the CoW Protocol that enables trade solvers to execute multiple flash loans prior to trade settlements. The system integrates with various loan providers through dedicated adapter contracts, allowing for sequential flash loan executions during the settlement process. CoW engaged Ackee Blockchain Security to perform a security review of the CoW protocol with a total&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1074,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,109,24,33],"class_list":["post-1066","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-cow-protocol","tag-ethereum","tag-evm"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/07\/cow-blog-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/07\/cow-blog-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1066"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1066\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1074"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}