{"id":533,"date":"2023-08-04T13:24:58","date_gmt":"2023-08-04T11:24:58","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=533"},"modified":"2024-07-04T15:21:33","modified_gmt":"2024-07-04T13:21:33","slug":"reserve-protocol-audit-summary-2","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/reserve-protocol-audit-summary-2\/","title":{"rendered":"Reserve Protocol: audit summary"},"content":{"rendered":"<p>The <a href=\"https:\/\/reserve.org\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Reserve Protocol<\/span><\/a><span style=\"font-weight: 400;\"> is the first platform that allows for the permissionless creation of asset-backed, yield-bearing &amp; overcollateralized stablecoins on Ethereum.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Reserve engaged Ackee Blockchain to perform a security review of the Reserve Protocol with a total time donation of <\/span><b>20 engineering days<\/b><span style=\"font-weight: 400;\"> in a period between <\/span><b>July 27 <\/b><span style=\"font-weight: 400;\">and <\/span><b>August 25, 2022.<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<h2><b>METHODOLOGY<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely Slither and the solc compiler.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This resulted in some issue suspicions, which we investigated in detail. Most of these issues have been marked as false positives. We then took a deep dive into the logic of the contracts. During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">understanding of the protocol architecture<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">line-by-line code review<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">check an upgradeability implementation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues, such as data validation.<\/span><\/li>\n<\/ul>\n<h2><b>SCOPE <\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Three auditors have performed the audit on the public repository with the following commits and files:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/github.com\/reserve-protocol\/protocol\/tree\/5cc6e94d9adfdab636a3cf3bfa72888bd6a6020d\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/github.com\/reserve-protocol\/protocol\/tree\/5cc6e94d9adfdab636a3cf3bfa72888bd6a6020d<\/span><\/a>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/p1\/*.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/interfaces\/*.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/plugins\/assets\/*.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/plugins\/trading\/*.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/libraries\/*.sol<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Revision 1.1 was done on the given commit: 6559fcd from <\/span><b>October 6, 2022.<\/b><\/p>\n<h2><b>FINDINGS<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Critical severity\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><b>High severity\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h3><b>Medium severity<\/b><\/h3>\n<p><b>M1: <\/b><span style=\"font-weight: 400;\">Unlimited allowance\u00a0<\/span><\/p>\n<p><b>M2: <\/b><span style=\"font-weight: 400;\">Downcasting overflow<\/span><\/p>\n<p><b>M3: <\/b><span style=\"font-weight: 400;\">Insufficient data validation<\/span><\/p>\n<h3><b>Low severity<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h3><b>Warning severity <\/b><\/h3>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Code duplications<\/span><\/p>\n<p><b>W2: <\/b><span style=\"font-weight: 400;\">Basket nonce double increment<\/span><\/p>\n<p><b>W3: <\/b><span style=\"font-weight: 400;\">Enum to uint casting<\/span><\/p>\n<p><b>W4:<\/b><span style=\"font-weight: 400;\"> Wrong revert message<\/span><\/p>\n<p><b>W5: <\/b><span style=\"font-weight: 400;\">Support for metatransactions<\/span><\/p>\n<p><b>W6: <\/b><span style=\"font-weight: 400;\">Usage of solc optimizer <\/span><\/p>\n<h3><b>Informational severity <\/b><\/h3>\n<p><b>I1:<\/b><span style=\"font-weight: 400;\"> Unnecessary function override<\/span><\/p>\n<h2><b>CONCLUSION<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Our review resulted in 10 findings, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Medium<\/span><\/i><span style=\"font-weight: 400;\"> severity. The three most severe (medium) issues M1: Unlimited allowance, M2: Downcasting overflow and M3: Insufficient data validation do not directly endanger the protocol in a reasonable timespan.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During our review, we investigated some potentially severe issues, even one critical. None of the potentially severe issues was confirmed after writing an exploit script.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We <\/span><span style=\"font-weight: 400;\">recommend Reserve to:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">be aware of malicious token implementations<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">remove code duplications<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address or explain all reported issues<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">add Natspec documentation.<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Reserve<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/reserve-protocol\/protocol\/blob\/master\/audits\/Ackee%20-%20abch-reserve-protocol-report-1.1.pdf\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Reserve<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again with them.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Reserve Protocol is the first platform that allows for the permissionless creation of asset-backed, yield-bearing &amp; overcollateralized stablecoins on Ethereum.\u00a0 Reserve engaged Ackee Blockchain to perform a security review of the Reserve Protocol with a total time donation of 20 engineering days in a period between July 27 and August 25, 2022.\u00a0 METHODOLOGY We began our review by using static analysis&hellip;<\/p>\n","protected":false},"author":15,"featured_media":534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80],"tags":[21,24,116,68],"class_list":["post-533","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","tag-audit","tag-ethereum","tag-reserve-protocol","tag-solidity"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/08\/Reserve-protocol-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/08\/Reserve-protocol-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=533"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/533\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/534"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}