{"id":380,"date":"2022-08-12T12:00:21","date_gmt":"2022-08-12T10:00:21","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=380"},"modified":"2022-10-31T15:39:11","modified_gmt":"2022-10-31T13:39:11","slug":"axelar-token-linker-forecall-service-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/axelar-token-linker-forecall-service-audit-summary\/","title":{"rendered":"Axelar: Token Linker &#038; Forecall Service Audit Summary"},"content":{"rendered":"<p class=\"p1\"><a href=\"https:\/\/axelar.network\/\">Axelar<\/a>\u00a0engaged\u00a0<a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a>\u00a0to review and\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> the <strong>Token Linker <\/strong>and the <strong>Forecall Service<\/strong>. Token Linker is a set of contracts used to link any tokens across two or more different EVM-compatible chains on a one-to-one basis using only Axelar\u2019s general message passing. The <strong>Forecall Service<\/strong> allows an application that receives messages from Axelar to accept messages before they are approved on Gateway.<\/p>\n<p class=\"p1\">The audit was conducted between <strong>August<\/strong><b> 1 and August 5, 2022, <\/b>with a total time commitment of<b> 5 <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/engineering-days\/\">engineering days<\/a><\/b>. We now publish a summary of our results.<span id=\"more-254\"><\/span><\/p>\n<h4 class=\"p2\"><b>METHODOLOGY<\/b><\/h4>\n<p class=\"p1\">We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project\u2019s size, scope, and functionality. This is followed by due diligence using the automated\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\">Solidity<\/a>\u00a0analysis tools and\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/slither\/\">Slither<\/a>.<\/p>\n<p class=\"p1\">In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/smart-contract\/\">contracts<\/a>\u00a0locally and try to attack and break the system.<\/p>\n<h4 class=\"p2\"><b>SCOPE\u00a0<\/b><\/h4>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>The audit was performed on two repositories: we audited commit <em>5e1d4bb<\/em><i>\u00a0<\/i>of the <a href=\"https:\/\/github.com\/axelarnetwork\/token-linker\/tree\/5e1d4bb648f15c8579bdaa1d93e8eba958a8a05e\">axelarnetwork\/token-linker<\/a> repository and commit <em>db238d7\u00a0<\/em>of the <a href=\"https:\/\/github.com\/axelarnetwork\/axelar-utils-solidity\/tree\/db238d7eea7d62eec04094ab781e985f324cbf0e\">axelarnetwork\/axelar-utils-solidity<\/a> repository.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\">During the security review,\u00a0<strong>we paid particular attention to<\/strong>:<\/p>\n<div class=\"page\" title=\"Page 6\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<ul>\n<li>execution logic in Forecall Service is matching requirements;<\/li>\n<li>token linking is not leading to unauthorized access to funds;<\/li>\n<li>detecting possible reentrancies in the code;<\/li>\n<li>ensuring access controls are not too relaxed or too strict;<\/li>\n<li>looking for common issues such as data validation.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<h4 class=\"p2\"><b>FINDINGS<\/b><\/h4>\n<p class=\"p1\">Here we present our\u00a0<a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s1\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p4\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p4\"><b>High severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>H1:<\/strong> The <span style=\"color: #0000ff;\">forecall<\/span> and <span style=\"color: #0000ff;\">forecallWithToken<\/span> can be called repeatedly with a same payload<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p4\"><b>Medium severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M1:<\/strong> The <span style=\"color: #0000ff;\">tokenAddress<\/span> is missing zero-address check<\/p>\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M2:<\/strong> TokenLinker has insufficient data validation<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p4\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<\/p>\n<h5><strong>Warning severity<\/strong><\/h5>\n<div class=\"page\" title=\"Page 18\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W1:<\/strong> Usage of <span style=\"color: #0000ff;\">solc<\/span> optimizer<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W2:<\/strong> Floating dependency on AxelarGateway<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W3:<\/strong> Mulitple ways to receive ether can lead to loss of funds<\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>W4:<\/strong> The <span style=\"color: #0000ff;\">forecall<\/span> function is missing any checks by default<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p4\"><b>Informational severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I1:<\/strong> Typo in the error name<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h4 class=\"p2\"><b>CONCLUSION<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>8 findings<\/b>\u00a0ranging from\u00a0<i>Informational<\/i>\u00a0to\u00a0<em>High<\/em> severity. The most severe one is a violation of an intended behavior in Forecall Service (see H1 in the full audit report).<\/p>\n<p class=\"p1\">After the audit,\u00a0<b>we recommended<\/b>\u00a0<strong>Axelar<\/strong>\u00a0<strong>to<\/strong>:<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<div class=\"page\" title=\"Page 7\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<ul>\n<li>add documentation including Natspec comments;<\/li>\n<li>write a more extensive test suite;<\/li>\n<li>address all other reported issues.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><b>Ackee Blockchain\u2019s full <em>Token Linker &amp; Forecall Service\u00a0<\/em>audit report with a more detailed description of all findings and recommendations can be found\u00a0<\/b><a href=\"https:\/\/github.com\/axelarnetwork\/audits\/blob\/main\/audits\/2022-08%20Ackee%20blockchain.pdf\"><span class=\"s1\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Axelar\u00a0engaged\u00a0Ackee Blockchain\u00a0to review and\u00a0audit the Token Linker and the Forecall Service. Token Linker is a set of contracts used to link any tokens across two or more different EVM-compatible chains on a one-to-one basis using only Axelar\u2019s general message passing. The Forecall Service allows an application that receives messages from Axelar to accept messages before they are approved on Gateway. The audit&hellip;<\/p>\n","protected":false},"author":11,"featured_media":385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[21,72,27,26,24,33,64,28],"class_list":["post-380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit","tag-axelar","tag-blockchain","tag-cryptocurrency","tag-ethereum","tag-evm","tag-security","tag-smart-contract"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/Axellar-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/Axellar-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/385"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}