{"id":400,"date":"2022-11-11T08:00:33","date_gmt":"2022-11-11T06:00:33","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=400"},"modified":"2022-11-14T01:04:25","modified_gmt":"2022-11-13T23:04:25","slug":"testing-axelar-contracts-using-open-source-tools","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/testing-axelar-contracts-using-open-source-tools\/","title":{"rendered":"Testing Axelar contracts using open-source tools"},"content":{"rendered":"<p class=\"p1\">Building projects on top of cross-chain solutions like <a href=\"https:\/\/axelar.network\/\" target=\"_blank\" rel=\"noopener\">Axelar<\/a> can sometimes be tricky and may lead to security issues in the code. Fortunately, open-source tools can automatically detect many issues or help test the implementation.<!--more--><\/p>\n<h2 class=\"p1\">Static analysis tools<\/h2>\n<p class=\"p1\">Static analysis tools <strong>can detect vulnerabilities and code quality issues without executing the code<\/strong>. A tool typically implements detectors that often use heuristics to perform the analysis. There are a few static analysis tools for <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\">Solidity<\/a>. We will demonstrate further the most well-known tool <strong>Slither<\/strong> and an alternative tool <strong>Wake<\/strong>, that implements Axelar-specific detectors.<\/p>\n<h4>Slither<\/h4>\n<p class=\"p1\">The <a href=\"https:\/\/github.com\/crytic\/slither\" target=\"_blank\" rel=\"noopener\">Slither<\/a> tool can be installed with Python\u2019s integrated installer using:<\/p>\n<pre class=\"p1\">pip3 install slither-analyzer<\/pre>\n<p>It offers numerous detectors (80 at the time of writing). Nevertheless, <strong>many of the detectors are not relevant to the latest versions of Solidity<\/strong>, and some of the detectors are only informative (e.g. an inline assembly block is used). The tool can be run using the following command:<\/p>\n<pre class=\"p1\">slither project-directory<\/pre>\n<p class=\"p1\">Slither usually prints out a lot of information that is <strong>not very well formatted<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-416\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/slither.png\" alt=\"\" width=\"943\" height=\"915\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/slither.png 943w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/slither-300x291.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/slither-768x745.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/slither-370x359.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/slither-760x737.png 760w\" sizes=\"auto, (max-width: 943px) 100vw, 943px\" \/><\/p>\n<p class=\"p1\">There is also a Slither <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=trailofbits.slither-vscode\"><span class=\"s1\">extension<\/span><\/a> for VS Code, but it requires the developer to run the detectors manually.<\/p>\n<h4>Wake<\/h4>\n<p class=\"p1\"><span class=\"s1\"><a href=\"https:\/\/github.com\/Ackee-Blockchain\/woke\">Wake<\/a><\/span> is a development and testing framework for Solidity developed by <a href=\"https:\/\/ackeeblockchain.com\">Ackee Blockchain<\/a>. Like Slither, <strong>Wake can perform static analysis using a prepared set of detectors<\/strong>, with detectors written especially for projects built on Axelar. Wake can be installed using the following command:<\/p>\n<pre class=\"p1\">pip3 install wake<\/pre>\n<p>The number of detectors is limited, the tool does not aim to catch all possible issues, but a few specific ones. <strong>More detectors are being actively developed; all are relevant to the latest versions of Solidity<\/strong>, and it prints fewer false positive detections. Analysis of a project can be performed with the following command:<\/p>\n<pre class=\"p1\">wake detect project-directory\r\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-415\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/woke-2.png\" alt=\"\" width=\"944\" height=\"934\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2.png 944w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2-300x297.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2-768x760.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2-370x366.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2-90x90.png 90w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/woke-2-760x752.png 760w\" sizes=\"auto, (max-width: 944px) 100vw, 944px\" \/><\/pre>\n<p class=\"p1\">Among other detectors, there is also a detector that checks whether <strong>Axelar Proxy\/Upgradeable<\/strong> contracts are used in the correct way. Specifically, it checks that:<\/p>\n<ul>\n<li><span class=\"s1\">There is no more than one proxy contract with the same <i>contractId<\/i>.<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">There is no more than one upgradeable contract with the same <i>contractId<\/i>.<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">For every proxy contract, there is an upgradeable contract with the same <i>contractId<\/i>.<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">For every upgradeable contract, there is a proxy contract with the same <i>contractId<\/i>.<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">For each pair of matching proxy and upgradeable contract, there is no collision of function selectors (except for functions <span style=\"color: #0000ff;\"><i>setup<\/i><\/span> and <span style=\"color: #0000ff;\"><i>implementation<\/i><\/span> where this behavior is desirable).<\/span><\/li>\n<\/ul>\n<p class=\"p1\">The last point ensures that when a user calls a function of an upgradeable contract with a given selector through a proxy, the function is actually called on the upgradeable contract. If there were a function with the same selector on the proxy contract, it would be called instead. Usually, this is not the intended behavior.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><strong>The situation is illustrated in the following hypothetical scenario.<\/strong> Both functions <span style=\"color: #0000ff;\"><i>proxyOwner<\/i><\/span> and <span style=\"color: #0000ff;\"><i>clash550254402<\/i><\/span> share the same selector. A user wants to execute the <span style=\"color: #0000ff;\"><i>clash550254402 <\/i><\/span>function, but the <span style=\"color: #0000ff;\"><i>proxyOwner<\/i><\/span> function is run instead. This makes it effectively impossible to run the <span style=\"color: #0000ff;\"><i>clash550254402<\/i><\/span> function through the proxy. It is still possible to call the function directly on the upgradeable contract, but without the proxy contract context (storage, balance, etc.) it will likely behave differently.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-414\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/selector-clashes.png\" alt=\"\" width=\"1294\" height=\"953\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes.png 1294w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes-300x221.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes-1024x754.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes-768x566.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes-370x272.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/selector-clashes-760x560.png 760w\" sizes=\"auto, (max-width: 1294px) 100vw, 1294px\" \/><\/p>\n<p class=\"p1\">Re-entrancy detector that can recognize an <span style=\"color: #0000ff;\"><i>onlyOwner<\/i><\/span> pattern and exclude re-entrancies that can only be executed by the owner of a contract. <strong>For each printed detection, there is a possible unsafe external call<\/strong> and a list of public\/external functions from where the attack can be started.<\/p>\n<p class=\"p1\"><strong>For VS Code users<\/strong>, there is an extension named <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=AckeeBlockchain.tools-for-solidity\"><span class=\"s1\">Tools for Solidity<\/span><\/a>, which uses Wake in the background and <strong>offers many language server functionalities<\/strong>, such as:<\/p>\n<ul>\n<li class=\"li1\"><span class=\"s1\">Go to definition<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">Find all references<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">Hover<\/span><\/li>\n<li class=\"li1\"><span class=\"s1\">Code lens with a number of references and single-click labels to generate inheritance and control flow graphs<\/span><\/li>\n<\/ul>\n<p class=\"p1\">Vulnerability detector results are visualized directly in the editor and<strong> refreshed after every code change<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-413\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/tools-for-solidity.png\" alt=\"\" width=\"1119\" height=\"581\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity.png 1119w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity-300x156.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity-1024x532.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity-768x399.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity-370x192.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/tools-for-solidity-760x395.png 760w\" sizes=\"auto, (max-width: 1119px) 100vw, 1119px\" \/><\/p>\n<p class=\"p1\">Static analysis tools can often warn of a possible issue in the code but can also report many false positive detections. <strong>A different approach is to test the implementation<\/strong> with simple unit tests or more sophisticated randomly generated test suits.<\/p>\n<h2 class=\"p1\">Dynamic analysis<\/h2>\n<p class=\"p1\">Many testing frameworks allow writing tests in Javascript, Python, or even Solidity. One common problem when testing a cross-chain project is that <strong>it is usually needed to simulate chain relayers<\/strong> or test the implementation on a testnet. Fortunately, <strong>Axelar offers its development environment<\/strong> called <a href=\"https:\/\/docs.axelar.dev\/dev\/axelar-sandbox\/intro\">Axelar Sandbox<\/a>. This environment offers editors for Solidity and Javascript and includes ready-made EVM-compatible blockchains, Axelar Gateway and Axelar Relayers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-412\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/axelar-sandbox.png\" alt=\"\" width=\"1427\" height=\"796\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox.png 1427w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox-300x167.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox-1024x571.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox-768x428.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox-370x206.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/axelar-sandbox-760x424.png 760w\" sizes=\"auto, (max-width: 1427px) 100vw, 1427px\" \/><\/p>\n<p class=\"p1\">It is often satisfactory to emulate Axelar Gateway communication on a single chain. The <a href=\"https:\/\/github.com\/Ackee-Blockchain\/axelar-gateway-mock\"><span class=\"s1\">Ackee-Blockchain\/axelar-gateway-mock<\/span><\/a> repository<strong> contains a custom implementation of Axelar Gateway<\/strong> designed to be used on a single development chain. The <span style=\"color: #0000ff;\">AxelarGatewayMock<\/span> contract does not implement all of the<span style=\"color: #000000;\"> IAxelarGateway <\/span>interface functions, but it has implemented the <span style=\"color: #0000ff;\"><em>sendToken<\/em><\/span>, <span style=\"color: #0000ff;\"><em>callContract<\/em><\/span>, and <span style=\"color: #0000ff;\"><em>callContractWithToken<\/em><\/span> functions needed to support all types of communication.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><strong><span style=\"color: #000000;\">An example use of the contract<\/span><\/strong> is given in the <a href=\"https:\/\/github.com\/Ackee-Blockchain\/axelar-gateway-mock\/blob\/master\/tests\/test_gateway_mock.py\">tests\/test_gateway_mock.py file<\/a>. It is written using the Wake testing framework, but the syntax should be easy to understand and helpful as a template for using the <span style=\"color: #0000ff;\">AxelarGatewayMock<\/span> contract with different testing frameworks.<\/p>\n<p class=\"p2\">First, <strong>Axelar Gateways must be deployed<\/strong> and each gateway must register other gateways.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-406\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36.png\" alt=\"\" width=\"600\" height=\"136\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36.png 2330w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-300x68.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-1024x232.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-768x174.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-1536x347.png 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-2048x463.png 2048w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-370x84.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.39.36-760x172.png 760w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"p1\">When working with tokens (<span style=\"color: #0000ff;\"><em>sendToken<\/em><\/span> and<span style=\"color: #0000ff;\"> <em>callContractWithToken<\/em><\/span> functions), it is also <strong>necessary to deploy a token instance<\/strong> for each Axelar Gateway and register the instances at respective gateways.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-407\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58.png\" alt=\"\" width=\"600\" height=\"166\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58.png 1462w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58-300x83.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58-1024x283.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58-768x212.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58-370x102.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.43.58-760x210.png 760w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"p1\"><span style=\"color: #0000ff;\">AxelarGatewayMock<\/span> expects ERC20 tokens to<strong> implement the mint and burn functions<\/strong> with the following signature:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-408\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40.png\" alt=\"\" width=\"600\" height=\"116\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40.png 1464w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40-300x58.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40-1024x197.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40-768x148.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40-370x71.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/Sni\u0301mek-obrazovky-2022-11-13-v-22.45.40-760x146.png 760w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p class=\"p1\">It is then possible to call the <span style=\"color: #0000ff;\"><em>sendToken<\/em><\/span>, <em><span style=\"color: #0000ff;\">callContract<\/span>,<\/em> and <span style=\"color: #0000ff;\"><em>callContractWithToken<\/em><\/span> functions either directly from an externally owned account or via a contract. Full examples are available in the <a href=\"https:\/\/github.com\/Ackee-Blockchain\/axelar-gateway-mock\"><span class=\"s1\">repository<\/span><\/a>.<\/p>\n<h2>Summary<\/h2>\n<p class=\"p1\">Testing cross-chain projects has its own pitfalls, but the tools presented can help catch common bugs. <strong>Both static and dynamic analysis tools should be used to cover different types of issues.<\/strong> Re-entrancy issues typically cannot be discovered using dynamic analysis tools, while checking project-specific invariants (such as the total amount of minted tokens at a given time) cannot be done with static analysis detectors.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p1\">In addition to in-house testing,<strong> it is highly recommended to perform periodic <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audits<\/a><\/strong>. While nothing can guarantee 100% safety, using the proper tools along with <strong>periodic audits can greatly reduce the likelihood<\/strong> of a project being vulnerable to a serious issue.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Building projects on top of cross-chain solutions like Axelar can sometimes be tricky and may lead to security issues in the code. Fortunately, open-source tools can automatically detect many issues or help test the implementation.<\/p>\n","protected":false},"author":14,"featured_media":409,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,103],"tags":[72,123,24,33,9,64,28,68,74,75,104],"class_list":["post-400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum","category-wake","tag-axelar","tag-developer-tooling","tag-ethereum","tag-evm","tag-open-source","tag-security","tag-smart-contract","tag-solidity","tag-tools-for-solidity","tag-vs-code","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/LayerZero-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/11\/LayerZero-1-600x600.png","author_info":{"display_name":"Michal P\u0159evr\u00e1til","author_link":"https:\/\/ackee.xyz\/blog\/author\/michal-prevratil\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=400"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/400\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/409"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}