{"id":364,"date":"2022-06-03T12:00:35","date_gmt":"2022-06-03T10:00:35","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=364"},"modified":"2022-09-30T02:03:55","modified_gmt":"2022-09-30T00:03:55","slug":"axelar-crosschain-dex-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/axelar-crosschain-dex-audit-summary\/","title":{"rendered":"Axelar: Crosschain-Dex Audit Summary"},"content":{"rendered":"

Axelar<\/a> engaged Ackee Blockchain<\/a><\/span>\u00a0to review and audit<\/a> <\/span> the Crosschain-Dex (private repository) between May<\/strong> 31 and June 3, 2022<\/b>. The entire audit process was conducted with a total time commitment of 4 engineering days<\/b>. We now publish a summary of our results.<\/p>\n

Methodology<\/b><\/h4>\n

We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity<\/a> analysis tools and Slither<\/a>.<\/p>\n

In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts<\/a> locally and try to attack and break the system.<\/p>\n

Scope\u00a0<\/b><\/h4>\n
\n
\n
\n

We started with the commit 5739e73bcfa469c2822c59b76d73ffb1cbf213c5<\/em> of the Crosschain-Dex repository, but during the audit the code was changed slightly to improve readability, so the final commit was faedfd700ccc0c004cd204059c68d88e109cf4ee<\/em>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n

Findings<\/b><\/h4>\n

Here we present our findings<\/span><\/a>.<\/p>\n

Critical severity\u00a0<\/b><\/h5>\n

No critical severity issues were found.<\/p>\n

High severity\u00a0<\/b><\/h5>\n
\n
\n
\n
\n

H1:<\/strong> Unhandled return value<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Medium severity<\/b><\/h5>\n

No medium severity issues were found.<\/p>\n

Low severity<\/b><\/h5>\n
\n
\n
\n
\n

L1:<\/strong> Payload manipulation<\/p>\n

\n
\n
\n
\n

L2:<\/strong> Unchecked transfer<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Warning severity<\/strong><\/h5>\n
\n
\n
\n
\n
\n
\n
\n
\n

W1:<\/strong> Code duplication<\/p>\n

\n
\n
\n
\n

W2:<\/strong> Renounce ownership<\/p>\n

\n
\n
\n
\n

W3:<\/strong> Missing unit tests<\/p>\n

\n
\n
\n
\n

W4:<\/strong> External mint function<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Informational severity\u00a0<\/b><\/h5>\n
\n
\n
\n
\n

I1:<\/strong> Commented out code<\/p>\n

\n
\n
\n
\n

I2:<\/strong> State variable access<\/p>\n

\n
\n
\n
\n

I3:<\/strong> Missing code documentation<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Conclusion<\/b><\/h4>\n

Our review resulted in 10 findings<\/b> ranging from Informational<\/i> to High<\/em> severity.<\/p>\n

Generally, we can state that the code quality is<\/b> good <\/b>and smart contracts are easy to read. One of the biggest concerns we identified is the lack of unit tests<\/strong>, which should be essential for every development.<\/p>\n

Our conclusions regarding the Crosschain-Dex project:<\/p>\n