{"id":524,"date":"2023-06-27T09:22:26","date_gmt":"2023-06-27T07:22:26","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=524"},"modified":"2024-05-16T12:23:21","modified_gmt":"2024-05-16T10:23:21","slug":"axelar-utils-squid-router-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/axelar-utils-squid-router-audit-summary\/","title":{"rendered":"Axelar: Utils &#038; Squid Router audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/axelar.network\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Axelar<\/span><\/a><span style=\"font-weight: 400;\"> Network is a scalable cross-chain communication platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Axelar engaged Ackee Blockchain to perform a security review of the Axelar Utils and <a href=\"https:\/\/www.squidrouter.com\/\" target=\"_blank\" rel=\"noopener\">Squid Router<\/a> implementation with a total time donation of <\/span><b>5 engineering days<\/b><span style=\"font-weight: 400;\"> in a period between <\/span><b>October 3<\/b><span style=\"font-weight: 400;\"> and <\/span><b>October 7, 2022.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Between <\/span><b>October 31, 2022 <\/b><span style=\"font-weight: 400;\">and <\/span><b>November 2, 2022, <\/b><span style=\"font-weight: 400;\">Ackee Blockchain performed <\/span><b>Revision 1.0.<\/b><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely <a href=\"https:\/\/ackeeblockchain.com\/blog\/woke-our-development-and-testing-framework-for-solidity\/\" target=\"_blank\" rel=\"noopener\">Wake<\/a> and Slither.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Then we implemented fuzz tests using Woke and Brownie to discover potential vulnerabilities.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We took a deep dive into the logic of the contracts. During the review, we paid special attention to:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts are not susceptible to re-entrancy attacks<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">users of the contracts cannot lose their funds<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">helper and library functions work for all possible inputs<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">input data are properly validated.<\/span><\/li>\n<\/ul>\n<p><b>SCOPE\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The audit was performed on two repositories with the following commits and files.<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\">Axelar Utils &#8211; 726020f\u00a0<\/span><\/li>\n<\/ol>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/ConstAddressDeployer.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/StringAddressUtils.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/StringBytesUtils.sol\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u00a0 \u00a0 \u00a0 2. A private repository &#8211; cdd406a<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">packages\/squidswap-contracts\/contracts\/RoledPausable.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">packages\/squidswap-contracts\/contracts\/SquidMulticall.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">packages\/squidswap-contracts\/contracts\/SquidRouterProxy.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">packages\/squidswap-contracts\/contracts\/SquidRouter.sol<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">During Revision 1.0 Ackee Blockchain performed an audit of a private repository with the commit 06d90e8 and the following file:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">packages\/squidswap-contracts\/contracts\/SquidFeeCollector.sol<\/span><\/li>\n<\/ul>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><b>H1: <\/b><span style=\"font-weight: 400;\">fundAndRunMulticall is not pausable<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1: <\/b>Missing Call.callType validation<\/p>\n<p><b>M2: <\/b>Missing isContract check in SquidMulticall<\/p>\n<p><b>M3:<\/b><span style=\"font-weight: 400;\"> Memory address overflow in _setCallDataParameter<\/span><\/p>\n<p><b>M4: <\/b><span style=\"font-weight: 400;\">Multicall implementation being too generic\u00a0<\/span><\/p>\n<p><b>M5:<\/b><span style=\"font-weight: 400;\"> Re-entrancy in SquidRouter <\/span><\/p>\n<p><b>M6: <\/b><span style=\"font-weight: 400;\">Missing refundRecipient validation<\/span><\/p>\n<p><b>M7:<\/b><span style=\"font-weight: 400;\"> Missing destinationChain validation\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.<\/span><\/p>\n<h5><b>Warning severity <\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Missing validation of the 0x prefix in string addresses\u00a0<\/span><\/p>\n<p><b>W2: <\/b><span style=\"font-weight: 400;\">Use of solc optimizer<\/span><\/p>\n<p><b>W3: <\/b><span style=\"font-weight: 400;\">Address helper functions not respecting EIP-55<\/span><\/p>\n<p><b>W4:<\/b><span style=\"font-weight: 400;\"> SquidRouter pausable can be bypassed<\/span><\/p>\n<p><b>W5: <\/b><span style=\"font-weight: 400;\">Integrator specific fee validation<\/span><\/p>\n<p><b>W6:<\/b><span style=\"font-weight: 400;\"> Integrator specific fee cannot be zero<\/span><\/p>\n<p><b>W7: <\/b><span style=\"font-weight: 400;\">Maximum integrator fee check can be bypassed<\/span><\/p>\n<h5><b>Informational severity <\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Unnecessary abi.encodePacked<\/span><\/p>\n<p><b>I2: <\/b><span style=\"font-weight: 400;\">Multiple calls to pendingPauser<\/span><\/p>\n<p><b>I3:<\/b><span style=\"font-weight: 400;\"> Bytes length accessed in a for loop condition<\/span><\/p>\n<p><b>I4:<\/b><span style=\"font-weight: 400;\"> Inconsistent for loop incrementation<\/span><\/p>\n<p><b>I5:<\/b><span style=\"font-weight: 400;\"> Address code length can be checked before a call<\/span><\/p>\n<p><b>I6:<\/b><span style=\"font-weight: 400;\"> For loop variable can be incremented in an unchecked block<\/span><\/p>\n<p><b>I7: <\/b><span style=\"font-weight: 400;\">Missing NatSpec documentation<\/span><\/p>\n<p><b>I8:<\/b><span style=\"font-weight: 400;\"> Inconsistent behavior: Revert vs return default <\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>20 findings<\/b><span style=\"font-weight: 400;\">, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">High<\/span><\/i><span style=\"font-weight: 400;\"> severity.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ackee Blockchain recommends Axelar and Squid:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to reconsider the current architecture being too generic allowing loss of user funds with improperly crafted input data<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">not to rely only on the off-chain implementation and add data validation to the contracts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to add NatSpec comments to the code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to address all other reported issues.<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Axelar and Squid <\/i><\/b><b>audit report with a more detailed description of all findings and recommendations can be found<\/b> <a href=\"https:\/\/github.com\/0xsquid\/audits\/blob\/main\/audits\/2022-11%20Ackee%20Blockchain.pdf\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Axelar<\/b><span style=\"font-weight: 400;\"> and <\/span><b>Squid<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Axelar Network is a scalable cross-chain communication platform. Axelar engaged Ackee Blockchain to perform a security review of the Axelar Utils and Squid Router implementation with a total time donation of 5 engineering days in a period between October 3 and October 7, 2022. Between October 31, 2022 and November 2, 2022, Ackee Blockchain performed Revision 1.0. METHODOLOGY We began our review&hellip;<\/p>\n","protected":false},"author":15,"featured_media":525,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,72,24,68,119],"class_list":["post-524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-axelar","tag-ethereum","tag-solidity","tag-squid-router"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Axelar-squid-audit-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Axelar-squid-audit-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=524"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/524\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/525"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}