{"id":133,"date":"2021-08-22T12:00:32","date_gmt":"2021-08-22T10:00:32","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=133"},"modified":"2022-04-04T09:59:30","modified_gmt":"2022-04-04T08:59:30","slug":"ackee-blockchain-is-an-audit-partner-of-1inch-network","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/ackee-blockchain-is-an-audit-partner-of-1inch-network\/","title":{"rendered":"Ackee Blockchain is an audit partner of 1inch Network"},"content":{"rendered":"<p class=\"p1\">In 2021, <a href=\"https:\/\/ackeeblockchain.com\/\"><span class=\"s1\">Ackee Blockchain<\/span><\/a> and <a href=\"https:\/\/app.1inch.io\/#\/1\/swap\/ETH\/DAI\"><span class=\"s1\">1inch<\/span><\/a> agreed to<strong> a long-term collaboration<\/strong>.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p1\">1inch <strong>adheres to the best security standards<\/strong>, and before releasing any new feature or protocol enhancement, it is first reviewed <strong>by<\/strong> <strong>five auditing companies<\/strong>. All findings discovered by Ackee Blockchain were found on non-production code.<!--more--><\/p>\n<p class=\"p1\">We, at Ackee Blockchain, are delighted to have partnered with 1inch and to be involved in <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">auditing<\/a> their future developments.<\/p>\n<h4>About 1inch<\/h4>\n<p><a href=\"https:\/\/app.1inch.io\/#\/1\/swap\/ETH\/DAI\">1inch Network<\/a> is<b> a DEX and DeFi aggregator <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/protocol\/\">protocol<\/a><\/b><span style=\"font-weight: 400;\"> across multiple chains. At the time of writing, 1Inch supports these blockchains: Ethereum, BSC, Polygon, Optimism, Arbitrum, Gnosis chain, and Avalanche.<\/span><\/p>\n<h5><b>How does 1inch work?<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">There are currently<strong> 3 protocols operating in the 1inch Network<\/strong>: Aggregation Protocol, Liquidity Protocol, and Limit Order Protocol.<\/span><\/p>\n<h6><b>Aggregation Protocol<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">Aggregation Protocol provides <strong>cost-efficient swap transactions<\/strong> across multiple liquidity sources while offering competitive rates to users. 1inch incorporates the pathfinder algorithm that finds the best paths among different markets on supported blockchains.<\/span><\/p>\n<h6><b>Liquidity Protocol<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">Liquidity Protocol <strong>allows users to earn passive income<\/strong> on their crypto assets by depositing them in 1inch liquidity pools. The cryptocurrencies held in liquidity pools can then be used as the opposite side of transactions by traders who place trades using the 1inch decentralized exchange. In return, liquidity providers receive &#8216;LP tokens&#8217; that can be staked or exchanged for other cryptocurrencies.<\/span><\/p>\n<h6><b>Limit Order Protocol<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">1inch limit order protocol is <strong>a set of smart contracts<\/strong> that can work on any <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/evm\/\">EVM<\/a> blockchain. Key features of the protocol are flexibility and high gas efficiency, which is achieved by using two different order types &#8211; regular Limit Order and RFQ Order.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this blog post, we&#8217;ll mention information about the following 1inch audits:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>1inch Farming audit\u00a0<\/b><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>1inch Cumulative Merkle drop audit<\/b><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>1inch Fixed Rate Swap audit\u00a0<\/b><b><\/b>(the only one publicly accessible)<\/li>\n<\/ul>\n<p class=\"p1\"><b>1inch Farming audit <\/b>was performed between <b>January 27 and February 9, 2022<\/b>. Our security team found <b>2 low<\/b> severity issues. 1inch&#8217;s development team fixed all findings.<\/p>\n<p class=\"p1\"><b>1inch Cumulative Merkle drop<\/b> <b>audit<\/b> was performed between <b>September 7 and September 10, 2021<\/b>. Our security team also found <b>2 low <\/b>severity issues that were fixed by 1inch&#8217;s development team.<\/p>\n<h4 class=\"p1\">About the 1inch Fixed Rate Swap audit<\/h4>\n<p class=\"p1\">The whole audit process consisted of <strong>an audit and two <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/re-audit\/\">re-audits<\/a><\/strong>. Two auditors of Ackee Blockchain completed 1inch Fixed Rate Swap audit on <strong>August 22, 2021<\/strong>.\u00a0The total time donation of this audit was\u00a0<b>3 engineering days<\/b>, and the file being audited was <em>FixedRateSwap.sol (154 SLOC)<\/em>.<\/p>\n<p class=\"p1\">The first re-audit was completed on <strong>November 18, 2021<\/strong>, and the second re-audit was completed on <strong>December 2, 2021<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\">At the beginning of the\u00a0audit, the\u00a0following\u00a0<b>main objectives\u00a0<\/b>were defined:<\/p>\n<ul>\n<li><span class=\"s1\">\u00a0<\/span><span class=\"s2\">Check the code quality, architecture and best practices.<\/span><\/li>\n<li><span class=\"s2\">We should double check if mathematical algorithms are working as described, so there is no possibility of losing the funds due to mathematical error.<span class=\"Apple-converted-space\">\u00a0<\/span><\/span><\/li>\n<li><span class=\"s2\">Also it\u2019s important to ensure that nobody unauthorized can steal the funds <\/span><span class=\"s3\"><br \/>\n<\/span><span class=\"s2\">held by the contract.<\/span><\/li>\n<li><span class=\"s2\">Since the contract doesn\u2019t use a proxy upgrade pattern, we also need to focus on potential denial of service attacks. <\/span><span class=\"s3\"><br \/>\n<\/span><\/li>\n<\/ul>\n<p class=\"p1\">We strive for a gradual and thorough approach to auditing the LayerZero protocol, which is why\u00a0<b>our audit methodology consists of<\/b>:<\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Technical specification\/documentation<\/b><span style=\"font-weight: 400;\"> &#8211; a brief overview of the system is requested from the client, and the scope of the audit is defined.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Tool-based analysis<\/b><span style=\"font-weight: 400;\"> &#8211; a basic check with automated Solidity analysis tools MythX and Slither is performed.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Math validation<\/b><span style=\"font-weight: 400;\"> &#8211; mathematical calculations in the code are manually validated if results behave as defined.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Manual code review<\/b><span style=\"font-weight: 400;\"> &#8211; the code is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Local deployment + hacking<\/b><span style=\"font-weight: 400;\"> &#8211; the contracts are deployed locally, and we try to attack the system and break it.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Unit testing and fuzzy testing <\/b><span style=\"font-weight: 400;\">&#8211; additional unit tests are written in the Brownie testing framework to ensure that the system works as expected. Fuzzy testing is performed by Echidna.<\/span><\/li>\n<\/ol>\n<h4>Findings<\/h4>\n<p class=\"p1\">Using our toolset, manual code review, unit and fuzzy testing<strong> led to the following\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a><\/strong>:<\/p>\n<ul>\n<li class=\"p2\">L1: SWC-103 Floating pragma<\/li>\n<li class=\"p2\">L2: Code duplicity<\/li>\n<li class=\"p2\">M1: Potential token decimals mismatch<\/li>\n<li class=\"p2\">M2: Unhandled division by zero &#8211; Zero and negative inputAmount is not handled before math operations<\/li>\n<li class=\"p2\">H1: Unauthorized withdrawal<span class=\"Apple-converted-space\">\u00a0<\/span><\/li>\n<\/ul>\n<p class=\"p2\"><b>2 low <\/b>severity,<b> 2 medium <\/b>severity, and<b> 1 high<\/b> severity issues\u00a0were identified.<\/p>\n<h4>Conclusion<\/h4>\n<p class=\"p1\">The overall <strong>code quality is good<\/strong>. Functions are well designed to avoid code duplicity. Executions of functions with invalid parameters are properly handled using require. However, the code isn\u2019t well documented; only the<em> getReturn()<\/em> function is commented, so we highly recommend covering all of the functions with documentation.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p1\">Based on our audit report, 1inch team responsibly took <strong>several weeks to resolve the audit findings<\/strong>.<span style=\"font-weight: 400;\">\u00a0The 1inch&#8217;s team <strong>correctly fixed<\/strong> all low and medium severity issues discovered in the audit, and the new 1inch Network feature invalided the high severity issue.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After the first re-audit, we were asked to re-validate the fixed code along with the newly implemented code in the first re-audit.\u00a0<\/span><span style=\"font-weight: 400;\">During the second re-audit, we discovered just <strong>one new minor issue<\/strong>.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit the <strong>1inch Network<\/strong> and we\u00a0look forward to further cooperation.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><strong>The full Ackee Blockchain audit report of 1inch Fixed Rate Swap with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/github.com\/1inch\/1inch-audits\"><span class=\"s1\">here<\/span><\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In 2021, Ackee Blockchain and 1inch agreed to a long-term collaboration.\u00a0 1inch adheres to the best security standards, and before releasing any new feature or protocol enhancement, it is first reviewed by five auditing companies. All findings discovered by Ackee Blockchain were found on non-production code.<\/p>\n","protected":false},"author":11,"featured_media":136,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[29,31,21,27,26,32,30,24,33,13],"class_list":["post-133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-1inch","tag-amm","tag-audit","tag-blockchain","tag-cryptocurrency","tag-defi","tag-dex","tag-ethereum","tag-evm","tag-vulnerability"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/03\/ABCH-1inch-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/03\/ABCH-1inch-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=133"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/136"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}