{"id":184,"date":"2022-03-15T12:00:08","date_gmt":"2022-03-15T10:00:08","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=184"},"modified":"2022-04-28T23:23:00","modified_gmt":"2022-04-28T22:23:00","slug":"ackee-blockchain-audited-layer-zero","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/ackee-blockchain-audited-layer-zero\/","title":{"rendered":"Ackee Blockchain audited LayerZero"},"content":{"rendered":"<h4>About LayerZero<\/h4>\n<p><span style=\"font-weight: 400;\"><span data-slate-fragment=\"JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJwYXJhZ3JhcGglMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMkxheWVyWmVybyUyMGlzJTIwYW4lMjBvbW5pY2hhaW4lMjBpbnRlcm9wZXJhYmlsaXR5JTIwcHJvdG9jb2wlMjBkZXNpZ25lZCUyMGZvciUyMGxpZ2h0d2VpZ2h0JTIwbWVzc2FnZSUyMHBhc3NpbmclMjBhY3Jvc3MlMjBjaGFpbnMuJTIwTGF5ZXJaZXJvJTIwcHJvdmlkZXMlMjBhdXRoZW50aWMlMjBhbmQlMjBndWFyYW50ZWVkJTIwbWVzc2FnZSUyMGRlbGl2ZXJ5JTIwd2l0aCUyMGNvbmZpZ3VyYWJsZSUyMHRydXN0bGVzc25lc3MuJTIyJTJDJTIybWFya3MlMjIlM0ElNUIlNUQlMkMlMjJzZWxlY3Rpb25zJTIyJTNBJTVCJTVEJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyZjA2NGJjOGE0MTc1NGM0ZGIzNzE5MjhiMzQzZGQ2NDMlMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjI1OWMxMzNkMThjYjE0YjVlODdhYzdlMzVkNGE2MmIwMyUyMiU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmYyMjMzZTk3ODMxNDQzNjJiOTgyMzI4OGY4NzBjNThhJTIyJTdE\"><a href=\"https:\/\/layerzero.network\/\">LayerZero<\/a> is <strong>an omnichain interoperability <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/protocol\/\">protocol<\/a><\/strong> designed for lightweight message passing across chains. LayerZero provides authentic and guaranteed message delivery with configurable trustlessness. <\/span>The protocol is implemented as <strong>a set of gas-efficient, non-upgradable smart contracts<\/strong>.<\/span><!--more--><\/p>\n<p><span style=\"font-weight: 400;\">Currently, LayeZero supports Ethereum and EVM-compatible chains like: Avalanche, Polygon, BNB Chain, Fantom, Arbitrum, and Optimism.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about LayerZero, read <strong>the official documentation<\/strong><strong> <a href=\"https:\/\/layerzero.gitbook.io\/docs\/\">here<\/a><\/strong>.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-187 \" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39.png\" alt=\"layerzero\" width=\"581\" height=\"300\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39.png 1175w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-300x155.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-1024x528.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-768x396.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-370x191.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-1170x606.png 1170w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/Sni\u0301mek-obrazovky-2022-04-28-v-23.56.39-760x392.png 760w\" sizes=\"auto, (max-width: 581px) 100vw, 581px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">LayerZero engaged <\/span><a href=\"https:\/\/ackeeblockchain.com\/\"><span style=\"font-weight: 400;\">Ackee Blockchain<\/span><\/a><span style=\"font-weight: 400;\"> to conduct security reviews of LayerZero and Stargate Finance protocols on a regular basis. The Ackee Blockchain security team has<strong> so far conducted 5 audits<\/strong>, several features of the LayerZero protocol are still under review and more are about to come. Here we publish the first results of our work.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this blog post, we\u2019ll mention information about the following LayerZero <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audits<\/a>:<\/span><\/p>\n<ul>\n<li aria-level=\"1\"><b>LayerZero proof-lib audit<\/b><\/li>\n<li aria-level=\"1\"><b>LayerZero Stargate DAO\/Voting Escrow audit<\/b><\/li>\n<li><b>LayerZero protocol audit <\/b>(the only one publicly accessible)<\/li>\n<\/ul>\n<p><b>LayerZero proof-lib audit <\/b><span style=\"font-weight: 400;\">was completed on <strong>March 11, 2022<\/strong> with a total time donation of 4 engineering days. Our security team found <strong>3 low<\/strong> severity and <strong>1 medium<\/strong> severity issues. All findings were acknowledged or fixed by LayerZero development team.\u00a0<\/span><\/p>\n<p><b>LayerZero Stargate DAO\/Voting Escrow audit<\/b><span style=\"font-weight: 400;\"> was completed on<strong> March 29, 2022<\/strong> with a total time donation of 6 engineering days. Our security team found <strong>5 low<\/strong> severity issues, all of them were <\/span><span style=\"font-weight: 400;\">general recommendations rather than security issues<\/span><span style=\"font-weight: 400;\">. All findings were acknowledged or fixed by LayerZero development team.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4>About the LayerZero protocol audit<\/h4>\n<p><b>LayerZero protocol audit<\/b>\u00a0<span style=\"font-weight: 400;\">was completed by two auditors of Ackee Blockchain on <strong>March 15, 2022<\/strong>. <\/span><span style=\"font-weight: 400;\">The total time donation of this audit was <strong>12 engineering days<\/strong>.<\/span><\/p>\n<p>During the review, <strong>special attention was paid to<\/strong>:<\/p>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<ul>\n<li>checking if nobody can exploit the protocol;<\/li>\n<li>ensuring access controls are not too weak;<\/li>\n<li>checking the protocol architecture;<\/li>\n<li>checking the code quality and Solidity best practices;<\/li>\n<li>and looking for common issues such as data validation.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>We strive for a gradual and thorough approach to auditing the LayerZero protocol, which is why <strong>our audit methodology consists of<\/strong>:<\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"><strong>Technical specification\/documentation<\/strong> \u2013 a brief overview of the system is requested from the client, and the <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit-scope\/\">audit scope<\/a> is defined.<\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"><strong>Tool-based analysis<\/strong> \u2013 deep check with automated <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\">Solidity<\/a> analysis tools and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/slither\/\">Slither<\/a> is performed.<\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"><strong>Manual code review<\/strong> \u2013 the code is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.<\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Local deployment + hacking<\/strong> \u2013 contracts are deployed locally, and we try to attack the system and break it.<\/li>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Unit testing<\/strong> \u2013 run unit tests to ensure that the system works as expected. Potentially we write\u00a0 our unit tests for specific suspicious scenarios.<\/span><\/li>\n<\/ol>\n<h4>Findings<\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools and then took a deep dive into the logic of the contract, this led to the following <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\">findings<\/a>: <\/span><\/p>\n<p><span style=\"font-weight: 400;\"><strong>8 low<\/strong> severity and <strong>1 medium<\/strong> severity issue were identified.\u00a0<\/span><\/p>\n<h4>Conclusion<\/h4>\n<p><span style=\"font-weight: 400;\">The overall code quality is very good and the architecture is well designed. The protocol is well documented in the whitepaper, Gitbook documentation, and in the code.<\/span><\/p>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>We identified only a few hypothetical issues that were not directly exploitable, but we still had to point them out. Most of these were general recommendations rather than security issues.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>We <strong>recommended LayerZero<\/strong> to:<\/p>\n<ul>\n<li>design some Oracle &amp; Relayer control mechanism for independence;<\/li>\n<li>use compiler &gt;0.8 with native SafeMath instead of library;<\/li>\n<li>use compiler no more than six months old;<\/li>\n<li>use the same compiler version across the whole project;<\/li>\n<li>do not use floating pragma;<\/li>\n<li>use 3rd party libraries wisely;<\/li>\n<li>use assembly code wisely;<\/li>\n<li>remove unused code.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><span style=\"font-weight: 400;\">All findings were <strong>acknowledged and fixed<\/strong> by LayerZero development team except 3 low severity issues that have been descoped and they will be reviewed in different audits.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit <strong>LayerZero \u2013 an omnichain interoperability protocol <\/strong>and we look forward to further cooperation.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>The full Ackee Blockchain audit report of LayerZero protocol with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/github.com\/LayerZero-Labs\/LayerZero\/blob\/main\/audit\/Ackee%20Audit%20Report%20-%20LayerZero-2022.03.15.pdf\"><span class=\"s1\">here<\/span><\/a>.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>About LayerZero LayerZero is an omnichain interoperability protocol designed for lightweight message passing across chains. LayerZero provides authentic and guaranteed message delivery with configurable trustlessness. The protocol is implemented as a set of gas-efficient, non-upgradable smart contracts.<\/p>\n","protected":false},"author":11,"featured_media":188,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[21,53,24,33,56,55,54],"class_list":["post-184","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit","tag-bridge","tag-ethereum","tag-evm","tag-interoperability","tag-layerzero","tag-omnichain"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/ABCH-Layer-Zero-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/04\/ABCH-Layer-Zero-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=184"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/184\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/188"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}