{"id":576,"date":"2023-09-15T07:24:43","date_gmt":"2023-09-15T05:24:43","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=576"},"modified":"2024-07-04T13:31:31","modified_gmt":"2024-07-04T11:31:31","slug":"prime-wormhole-route-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/prime-wormhole-route-audit-summary\/","title":{"rendered":"Prime: Wormhole route\u00a0audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/www.primeprotocol.xyz\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Prime Protocol<\/span><\/a><span style=\"font-weight: 400;\"> allows users to deposit assets on any supported chain and receive another asset loan backed by their entire portfolio of assets. The scope for this audit was Wormhole route that is used for message passing in the protocol.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Prime engaged Ackee Blockchain to perform a security review of the Wormhole route of the Prime protocol with a total time donation of<\/span><b> 5 engineering days<\/b><span style=\"font-weight: 400;\"> in a period between <\/span><b>January 9<\/b><span style=\"font-weight: 400;\"> and <\/span><b>January 13, 2023<\/b><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely Woke. We then took a deep dive into the logic of the contracts and used Woke testing framework for cross-chain testing. During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">checking if chain IDs are correctly translated during cross-chain calls<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the messages can not be replayed maliciously<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validation.\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE <\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <\/span><span style=\"font-weight: 400;\"><code class=\"codehl\">5942f84<\/code> <\/span><span style=\"font-weight: 400;\">and the exact scope was the following files:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WormholeAdmin.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WormholeEvents.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WormholeModifiers.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WormholeRoute.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WormholeStorage.sol\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1: <\/b><span style=\"font-weight: 400;\">Unlimited allowance\u00a0<\/span><\/p>\n<p><b>M2: <\/b><span style=\"font-weight: 400;\">Downcasting overflow<\/span><\/p>\n<p><b>M3: <\/b><span style=\"font-weight: 400;\">Insufficient data validation<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Warning severity <\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Admin functions data validation<\/span><\/p>\n<p><b>W2: <\/b><span style=\"font-weight: 400;\">Replay attack protection <\/span><\/p>\n<p><b>W3:<\/b><span style=\"font-weight: 400;\"> Usage of solc optimizer <\/span><\/p>\n<h5><b>Informational severity<\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Missing NatSpec documentation <\/span><\/p>\n<p><b>I2: <\/b><span style=\"font-weight: 400;\">Too much similar function names <\/span><\/p>\n<p><b>I3:<\/b><span style=\"font-weight: 400;\"> The changeAdmin function should emit an event <\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in 6 findings, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Warning<\/span><\/i><span style=\"font-weight: 400;\"> severity.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We <\/span><span style=\"font-weight: 400;\">recommend Prime to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">create a NatSpec documentation for easier reviews<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues.\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Prime<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/1693296291-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2FdpSjjfnOibWmPsqorJ9f%2Fuploads%2FWDM0ZpVIE4F2b2IMVgAP%2Fabch-prime-report-1.2.pdf?alt=media&amp;token=73180651-cd4c-4a4e-bb8a-40fefc2cc7b7\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Prime<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again with them.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prime Protocol allows users to deposit assets on any supported chain and receive another asset loan backed by their entire portfolio of assets. The scope for this audit was Wormhole route that is used for message passing in the protocol.\u00a0 Prime engaged Ackee Blockchain to perform a security review of the Wormhole route of the Prime protocol with a total time donation&hellip;<\/p>\n","protected":false},"author":15,"featured_media":577,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80],"tags":[21,24,111,68],"class_list":["post-576","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","tag-audit","tag-ethereum","tag-prime","tag-solidity"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/09\/Prime-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/09\/Prime-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=576"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/576\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/577"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}