{"id":254,"date":"2022-02-24T12:00:45","date_gmt":"2022-02-24T10:00:45","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=254"},"modified":"2022-09-29T19:18:08","modified_gmt":"2022-09-29T17:18:08","slug":"axelar-cgp-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/axelar-cgp-audit-summary\/","title":{"rendered":"Axelar: CGP Audit Summary"},"content":{"rendered":"<p class=\"p1\"><a href=\"https:\/\/axelar.network\/\">Axelar<\/a> <span style=\"font-weight: 400;\">engaged <a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a><\/span>\u00a0<span style=\"font-weight: 400;\">to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> <\/span> their Cross-Chain Gateway Protocol between <strong>January<\/strong><b> 31 and February 16, 2022<\/b>. The entire audit process was conducted with a total time commitment of<b> 9 engineering days<\/b>. We now publish a summary of our results.<!--more--><\/p>\n<h4 class=\"p2\"><b>Methodology<\/b><\/h4>\n<p class=\"p1\">We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project&#8217;s size, scope, and functionality. This is followed by due diligence using the automated <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\">Solidity<\/a> analysis tools and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/slither\/\">Slither<\/a>.<\/p>\n<p class=\"p1\">In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/smart-contract\/\">contracts<\/a> locally and try to attack and break the system.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<p class=\"p1\">We audited commit <em>c6f8c7c<\/em><i>\u00a0<\/i>of the <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\">axelarnetwork\/axelar-cgp-solidity<\/a>\u00a0repository.<\/p>\n<p class=\"p1\">During the security review,\u00a0<strong>we paid particular attention to<\/strong>:<\/p>\n<ul class=\"ul1\">\n<li class=\"li1\">checking if nobody can breach the protocol;<\/li>\n<li class=\"li1\">checking the correctness of the upgradeability implementation;<\/li>\n<li class=\"li1\">checking possible pitfalls with upgrade from <i>v1.0.0 (e5e74b1)<\/i> to <i>v2.0.0 (c6f8c7c)<\/i>;<\/li>\n<li class=\"li1\">ensuring access controls are not too relaxed;<\/li>\n<li class=\"li1\">looking for common issues such as data validation.<\/li>\n<\/ul>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p4\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p4\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p1\"><strong>H1: <\/strong>Insufficient data validation in the upgrade function<\/p>\n<p><strong>H2: <\/strong>Unchecked transfer for external tokens<\/p>\n<h5 class=\"p4\"><b>Medium severity<\/b><\/h5>\n<p class=\"p1\"><b>M1: <\/b><em>_containsDuplicates<\/em> function can be optimized<\/p>\n<h5 class=\"p4\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\"><b>L1: <\/b>ERC20 is missing basic arithmetic checks<\/p>\n<h5><strong>Warning severity<\/strong><\/h5>\n<div class=\"page\" title=\"Page 18\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W1:<\/strong> Usage of<em> solc<\/em> optimizer<\/p>\n<p><strong>W2:\u00a0<\/strong>Floating pragma<\/p>\n<p><strong>W3:\u00a0<\/strong>Transaction replay<\/p>\n<p><strong>W4:\u00a0<\/strong>Pitfalls of upgradeability<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p4\"><b>Informational severity\u00a0<\/b><\/h5>\n<p class=\"p1\"><b>I1: <\/b>Integer underflow if the owner epoch is 0<\/p>\n<h4 class=\"p2\"><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>9 findings<\/b> ranging from <i>Informational<\/i> to <em>High<\/em> severity.<\/p>\n<p class=\"p1\">Generally, we can state that <b>the code quality is<\/b> <b>very good<\/b>. Tests are well written, the project repository on GitHub follows good engineering principles, and the team always responded quickly.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p>However, the project is quite complex to audit because of the upgradeability pattern (Eternal Storage) and present low-level calls. The complexity can be a potential source of bugs in future development, so we recommend keeping the project audited between upgrades.<\/p>\n<p class=\"p1\">After the audit, <b>we recommended<\/b> <strong>Axelar<\/strong> <strong>to<\/strong>:<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<ul class=\"ul1\">\n<li class=\"li2\">address all reported issues;<span class=\"Apple-converted-space\">\u00a0<\/span><\/li>\n<li class=\"li2\">create documentation.<span class=\"Apple-converted-space\">\u00a0<\/span><\/li>\n<\/ul>\n<p class=\"p1\"><strong>Update:<\/strong> Between <b>February 21 and <\/b><b>23, 2022<\/b>, a <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/re-audit\/\"><span class=\"s1\">re-audit<\/span><\/a> was performed to check fixes of the reported issues. Axelar <b>did not address some findings<\/b> (L1, W1, W3, I1) as they found them not concerning\/applicable. Apart from fixing the H1 issue, we consider the fixes well performed. W4 was left untouched, thus there is still <b>a risk of a protocol breach<\/b> (in the context of Upgradeability).<\/p>\n<div class=\"page\" title=\"Page 7\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s full <em>Cross-Chain Gateway Protocol <\/em>audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/axelarnetwork\/audits\/blob\/main\/audits\/2022-02%20Ackee%20blockchain.pdf\"><span class=\"s1\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<h3>Follow-up audit I<\/h3>\n<p><a href=\"https:\/\/axelar.network\/\">Axelar<\/a> commissioned our team to perform a follow-up <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\"><span class=\"s1\">audit<\/span><\/a> of their CGP between <b>March 22 and 31, 2022<\/b>. The entire audit process was conducted with a total time commitment of<b> 10 engineering days<\/b>.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<p class=\"p1\">We audited commit <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/tree\/838de95e41f90f625f0445f278d64c75d06ed8e0\"><em>838de95e41<\/em><\/a> of the <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\">axelarnetwork\/axelar-cgp-solidity<\/a>\u00a0repository.<\/p>\n<p class=\"p1\">During the security review, <b>we paid particular attention to <\/b>the following questions:<\/p>\n<ul>\n<li>Is the correctness of the contract ensured?<\/li>\n<li>Do the contracts correctly use dependencies or other contracts they rely on, such as OpenZeppelin dependencies?<\/li>\n<li>Are access controls not too relaxed or too strict?<\/li>\n<li>Are the upgradeable contracts subject to common upgradeability pitfalls?<\/li>\n<li>Is the code vulnerable to re-entrancy attacks through <span class=\"s2\">ERC777<\/span>-style contracts or maliciously supplied user input?<\/li>\n<\/ul>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p5\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p5\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p6\"><span class=\"s3\"><strong>H1:<\/strong> <\/span><em>AxelarGatewayMultisig .transferOperatorship<\/em> <span class=\"s3\">emits an event with an incorrect value <\/span><\/p>\n<h5 class=\"p5\"><b>Medium severity<\/b><\/h5>\n<p class=\"p1\"><b>M1:<\/b>\u00a0Pitfalls of upgradeability<\/p>\n<p><strong>M2: <\/strong><em>abi.encodePacked<\/em> contains dynamic-length data<\/p>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M3:<\/strong> Several external calls lack existence checks<\/p>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M4:<\/strong> <em>_execute<\/em> functions set command as executed even before it gets executed<\/p>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M5:<\/strong> Commands that failed can be re-run<\/p>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M6:<\/strong> Usage of <em>solc<\/em> optimizer<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W1:<\/strong> <em>AxelarGatewayMultisig<\/em> ignores epoch 0<\/p>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W2:<\/strong> Cannot use multiple tokens with same symbol<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Informational severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I1:<\/strong> Many operations don&#8217;t emit events<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h4 class=\"p2\"><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>10 findings<\/b> ranging from <i>Informational<\/i> to <i>High <\/i>severity.<\/p>\n<div class=\"page\" title=\"Page 7\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>The most severe one was that an observer could make incorrect decisions since an event logs incorrect values (H1).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 8\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>We recommended Axelar to<\/strong>:<\/p>\n<ul>\n<li>correct the incorrect event emission;<\/li>\n<li>revise the upgradeability mechanism (M1);<\/li>\n<li>pay special attention to edge cases such as string collision in <em>abi.encodePacke<\/em> (M2);<\/li>\n<li>address all other reported issues.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><b>Update:<\/b> On <b>April 7, 2022<\/b>, StakerDAO provided an updated codebase that addresses the reported issues.<\/p>\n<div class=\"page\" title=\"Page 41\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>Specifically, we reviewed tag <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/releases\/tag\/v3.1.0\">v3.1.0<\/a> with commit <em><a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/tree\/4067ed6c8f7e8d5d09d94d6b7301919aff2cb8fc\">4067ed6c8f<\/a><\/em>. Compared to the scope commit, this tag set out to <strong>tackle the following problems<\/strong>: H1; M2; not possible to freeze external ERC20 tokens.<\/p>\n<p class=\"p1\">We found that the commits successfully address two of the reported issues, introduce no vulnerabilities, and also successfully address the third issue. <b>We recommend Axelar to address all other reported issues.<\/b><\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s full <em>Cross-Chain Gateway Protocol<\/em><i>\u00a0<\/i>follow-up audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/axelarnetwork\/audits\/blob\/main\/audits\/2022-04%20Ackee%20blockchain.pdf\"><span class=\"s1\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<h3>Follow-up audit II<\/h3>\n<p><a href=\"https:\/\/axelar.network\/\">Axelar<\/a> engaged our team to conduct a further follow-up <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\"><span class=\"s1\">audit<\/span><\/a> of their CGP between <b>May 10 and 13, 2022<\/b>. The entire audit process was conducted with a total time commitment of<b> 3 engineering days<\/b>.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>Initially, three engineering days were allocated to audit the new protocol changes between versions <em>v3.1.1<\/em> and <em>v3.2.2<\/em>, particularly the gas optimizations and the new <em>GasReceiver<\/em> feature. However, in the middle of the audit, Axelar changed the scope to validate the new <em>AxelarDepositService <\/em>feature. After we provided quick feedback on the new feature, Axelar sent us a new commit addressing our findings.<\/p>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>Therefore this audit was conducted on three different commits over three days, and as a result, we present only a draft report of our findings.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><strong>We worked on the following commits:<\/strong><\/p>\n<ul>\n<li class=\"p1\">protocol <em>v3.2.2<\/em>: <em>6c895ff<\/em>,<\/li>\n<li class=\"p1\"><em>GasReceiver<\/em> feature before feedback: <em>5d95c55<\/em>,<\/li>\n<li class=\"p1\"><em>GasReceiver<\/em> feature after feedback: <em>6a8bdd5<\/em>.<\/li>\n<\/ul>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p5\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p5\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p6\">No high severity issues were found.<\/p>\n<h5 class=\"p5\"><b>Medium severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 9\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M1:<\/strong> Upgradeability<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 9\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M2:<\/strong> External calls lack existance checks<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M3:<\/strong> Token symbol and address decoupling<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M4:<\/strong> Token symbol length validation<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W1:<\/strong> Usage of <em>solc<\/em> optimizer<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W2:<\/strong> Misleading error<\/p>\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W3:<\/strong> Event data validation<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Informational severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p class=\"p1\">No informational severity issues were found.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h4 class=\"p2\"><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>7 findings<\/b> ranging from <i>Warning<\/i> to <i>Medium <\/i>severity.<\/p>\n<p>As mentioned above, we present only a draft report of our findings. With this approach, we tried to maximize our support for Axelar during a turbulent market period.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s <em>Cross-Chai<\/em><\/b><b><em>n Gateway Protocol<\/em> follow-up audit report\u00a0with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/axelarnetwork\/audits\/blob\/main\/audits\/2022-05%20Ackee%20blockchain.pdf\"><span class=\"s1\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<h3>Auth Contract and Deposit Service audit<\/h3>\n<p>Between <strong>July<\/strong><b> 18 and July 25, 2022<\/b>, <a href=\"https:\/\/axelar.network\/\">Axelar<\/a> engaged our team <span style=\"font-weight: 400;\">to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> <\/span> the Deposit Service and the Auth contract, which are part of the cross-chain protocol. The entire audit process was conducted with a total time commitment of<b> 6 engineering days<\/b>.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>We audited commit <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/commit\/1cd26b36a4757d300b18834cffd448808a98b225\"><em>1cd26b3<\/em><\/a><i>\u00a0<\/i>of the <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\">axelarnetwork\/axelar-cgp-solidity<\/a> repository and focused on the changes proposed in the feature branch <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/pull\/124\">AxelarAuthWeighted<\/a> and the feature branch <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-cgp-solidity\/commit\/1cd26b36a4757d300b18834cffd448808a98b225\">DepositService<\/a>.<\/p>\n<p>During the security review,\u00a0<strong>we paid particular attention to<\/strong>:<\/p>\n<\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"p1\">validating that the proofs in the Auth contract can not be forged;<\/li>\n<li class=\"p1\">detecting possible reentrancies in the code;<\/li>\n<li class=\"p1\">ensuring access controls are not too relaxed or too strict;<\/li>\n<li class=\"p1\">looking for common issues such as data validation.<\/li>\n<\/ul>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p5\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p5\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p6\">No high severity issues were found.<\/p>\n<h5 class=\"p5\"><b>Medium severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 9\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M1<\/strong>: Dangerous ownership transfer<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M2:<\/strong> Unauthorized sending of tokens<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 10\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W1:<\/strong> Usage of <span style=\"color: #0000ff;\">solc<\/span> optimizer<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W2:<\/strong> Stealing tokens from Deposit Proxy<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W3:<\/strong> High privileged owner and single point of failure<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W4:<\/strong> Pitfalls of upgradeability<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Informational severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 15\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I1:<\/strong> Public functions without internal calls<\/p>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I2:<\/strong> Confusing naming of errors<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h4 class=\"p2\"><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <strong>8<\/strong><b>\u00a0findings<\/b> ranging from <i>Informational<\/i>\u00a0to <i>Medium <\/i>severity.<\/p>\n<p><strong>We recommended Axelar to<\/strong>:<\/p>\n<ul>\n<li>use static analysis tools like Slither;<\/li>\n<li>ensure that the privileged owner addresses correspond to robust multisigs;<\/li>\n<li>address all the reported issues.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s <em>Auth Contract and Deposit Service<\/em><\/b><b>\u00a0audit report\u00a0with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/axelarnetwork\/audits\/blob\/main\/audits\/2022-07%20Ackee%20blockchain-v2.pdf\"><span class=\"s1\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\">We were delighted to audit<b> Axelar<\/b>\u00a0and look forward to working with them again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Axelar engaged Ackee Blockchain\u00a0to review and audit their Cross-Chain Gateway Protocol between January 31 and February 16, 2022. The entire audit process was conducted with a total time commitment of 9 engineering days. We now publish a summary of our results.<\/p>\n","protected":false},"author":11,"featured_media":273,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[21,72,27,24,33,64,28],"class_list":["post-254","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit","tag-axelar","tag-blockchain","tag-ethereum","tag-evm","tag-security","tag-smart-contract"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-Axelar-2@2x-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-Axelar-2@2x-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=254"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/254\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/273"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}