{"id":516,"date":"2023-06-02T09:31:23","date_gmt":"2023-06-02T07:31:23","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=516"},"modified":"2024-05-16T12:37:48","modified_gmt":"2024-05-16T10:37:48","slug":"glitter-finance-evm-contracts-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/glitter-finance-evm-contracts-audit-summary\/","title":{"rendered":"Glitter Finance: EVM Contracts audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/glitterfinance.org\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Glitter Finance<\/span><\/a>\u00a0<span style=\"font-weight: 400;\">is a base layer technology focused on interoperability, liquidity movement and ease of use. The bridge provides an interoperability solution that serves as a base layer for layer-1 networks and DeFi protocols across multiple blockchain networks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Glitter Finance engaged Ackee Blockchain to perform a security review of the Glitter EVM smart contracts with a total time donation of 4 engineering days in a period between <\/span><b>May 2<\/b><span style=\"font-weight: 400;\"> and <\/span><b>May 10, 2023<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely <\/span><a href=\"https:\/\/ackeeblockchain.com\/blog\/woke-our-development-and-testing-framework-for-solidity\/\"><span style=\"font-weight: 400;\">Wake<\/span><\/a><span style=\"font-weight: 400;\">. We then took a deep dive into the logic of the contracts. For a local deployment, testing and fuzzing, we have involved <\/span><span style=\"font-weight: 400;\">Woke <\/span><span style=\"font-weight: 400;\">testing framework. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the possibility of double spending,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">cross-chain token handling,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">proper on-chain data validation.\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The scope of the audit is EVM contracts of the protocol. Contracts work as an entry point for users and are responsible for locking\/burning tokens on a source chain and releasing\/minting tokens on the destination chain.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <\/span><span style=\"font-weight: 400;\">326f0fe <\/span><span style=\"font-weight: 400;\">and the scope was the following:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">BaseVault.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">LockReleaseVault.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">MintBurnVault.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GlitterRouter.sol <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">During Revision 1.1, <\/span><span style=\"font-weight: 400;\">Glitter engaged Ackee Blockchain to perform a fix review on the given commit: <\/span><span style=\"font-weight: 400;\">462ed5b<\/span><span style=\"font-weight: 400;\">. <\/span><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1: <\/b><span style=\"font-weight: 400;\">Missing handling of a token shortage\u00a0<\/span><\/p>\n<p><b>M2: <\/b><span style=\"font-weight: 400;\">Problematic decimals <\/span><\/p>\n<p><b>Low severity<\/b><\/p>\n<p><b>L1: <\/b><span style=\"font-weight: 400;\">Vaults mapping logic\u00a0<\/span><\/p>\n<h5><b>Warning severity <\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Lack of data validation in deposit function <\/span><\/p>\n<p><b>W2:<\/b><span style=\"font-weight: 400;\"> Lack of emits in state- changing functions\u00a0<\/span><\/p>\n<h5><b>Informational severity <\/b><\/h5>\n<p><b>I1:<\/b><span style=\"font-weight: 400;\"> Missing parameters in NatSpec\u00a0<\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>6 findings<\/b><span style=\"font-weight: 400;\">, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Medium<\/span><\/i><span style=\"font-weight: 400;\"> severity. The code is very clear and well-documented. Standard documentation is missing, but the code is self-explanatory. The code is also well-tested. A big part of the logic is in the backend code of the bridge protocol, which was not in the scope of this audit.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We recommended Glitter to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">add stronger data validation,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">emit events for all state changes,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues.\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Glitter protocol<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/docsend.com\/view\/4ypv7h8c3xbffrr9\" target=\"_blank\" rel=\"noopener\"><b>he<\/b><\/a><a href=\"https:\/\/docsend.com\/view\/4ypv7h8c3xbffrr9\"><b>re<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Glitter<\/b><span style=\"font-weight: 400;\"><strong> Finance<\/strong> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Glitter Finance\u00a0is a base layer technology focused on interoperability, liquidity movement and ease of use. The bridge provides an interoperability solution that serves as a base layer for layer-1 networks and DeFi protocols across multiple blockchain networks. Glitter Finance engaged Ackee Blockchain to perform a security review of the Glitter EVM smart contracts with a total time donation of 4 engineering days&hellip;<\/p>\n","protected":false},"author":15,"featured_media":517,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,24,120,68],"class_list":["post-516","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-ethereum","tag-glitter-finance","tag-solidity"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Glitter-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Glitter-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=516"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/516\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/517"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}