{"id":618,"date":"2023-12-15T12:43:02","date_gmt":"2023-12-15T10:43:02","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=618"},"modified":"2024-05-16T10:43:30","modified_gmt":"2024-05-16T08:43:30","slug":"%d1%81ow-protocol-composablecow-extensiblefallbackhandler-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/%d1%81ow-protocol-composablecow-extensiblefallbackhandler-audit-summary\/","title":{"rendered":"\u0421ow Protocol: ComposableCoW &#038; ExtensibleFallbackHandler audit summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">CoW Swap is the first trading interface built on top of CoW Protocol. CoW Swap is a Meta DEX aggregator that allows you to buy and sell tokens using gasless orders that are settled peer-to-peer among users, or into any on-chain liquidity source while providing protection from MEV.<\/span><\/p>\n<p><a href=\"https:\/\/cow.fi\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Cow Protocol<\/span><\/a><span style=\"font-weight: 400;\"> engaged Ackee Blockchain to perform a security review of the ComposableCoW &amp; ExtensibleFallbackHandler with a total time donation of <\/span><b>8 engineering days<\/b><span style=\"font-weight: 400;\"> in a period between <\/span><b>July 18<\/b><span style=\"font-weight: 400;\"> and <\/span><b>July 28, 2023<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely <\/span><a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Wake<\/span><\/a><span style=\"font-weight: 400;\">. We then took a deep dive into the logic of the contracts. For testing, we have involved <\/span><span style=\"font-weight: 400;\">Wake<\/span> <span style=\"font-weight: 400;\">testing framework. During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">replay attacks<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">signature validation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">payload manipulation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the arithmetic of the system is correct<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the correctness of encoding\/decoding data<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ERC-1271 compliance<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validation.\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE <\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the following scope:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/github.com\/rndlabs\/composable-cow\"><span style=\"font-weight: 400;\">https:\/\/github.com\/rndlabs\/composable-cow<\/span><\/a>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Commit <\/span><span style=\"font-weight: 400;\">cd893fa<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">All contracts<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/github.com\/rndlabs\/safe-contracts\"><span style=\"font-weight: 400;\">https:\/\/github.com\/rndlabs\/safe-contracts<\/span><\/a>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Commit<\/span><span style=\"font-weight: 400;\">e53ffea<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">contracts\/handler\/ExtensibleFallbackHandler.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">All contracts in <\/span><span style=\"font-weight: 400;\">contracts\/handler\/extensible\/\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The review was done on the given commits <\/span><span style=\"font-weight: 400;\">Revision 1.0<\/span><span style=\"font-weight: 400;\">:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\">27ec79b <\/span><span style=\"font-weight: 400;\">for ComposableCow<\/span><\/li>\n<li><span style=\"font-weight: 400;\">11273c1 <\/span><span style=\"font-weight: 400;\">for ExtensibleFallbackHandler\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Revision 1.2 was done on the ComposableCow commit <\/span><span style=\"font-weight: 400;\">bd2634d<\/span><span style=\"font-weight: 400;\">, the ExtensibleFallbackHandler commit was not changed since Revision 1.1.\u00a0<\/span><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">C1: StopLoss arithmetic mismatches\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">M1: Oracle data validation\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">L1: Constructor data validation\u00a0<\/span><\/p>\n<h5><b>Warning severity <\/b><\/h5>\n<p><span style=\"font-weight: 400;\">W1: GPv2Order data tampering <\/span><\/p>\n<p><span style=\"font-weight: 400;\">W2: Revert conditions inconsistency <\/span><\/p>\n<p><span style=\"font-weight: 400;\">W3: Vulnerable MerkleProof library <\/span><\/p>\n<p><span style=\"font-weight: 400;\">W4: GoodAfterTime order is missing the receiver address <\/span><\/p>\n<h5><b>Informational severity <\/b><\/h5>\n<p>I1: Unnecessary SafeMath<\/p>\n<p>I2: Missing cabinet cleanup<\/p>\n<p>I3: Errors in the documentation<\/p>\n<p>I4: TradeAboveThreshold order receiver naming<\/p>\n<p>I5: Inconsistent error<\/p>\n<p>I6: Commented-out code<\/p>\n<p>I7: Inconsistent naming<\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in 14 findings, ranging from Informational to Critical severity. <\/span> <span style=\"font-weight: 400;\">The critical issue <\/span><span style=\"font-weight: 400;\">C1: StopLoss arithmetic mismatches <\/span><span style=\"font-weight: 400;\">has been fixed according to our recommendations, and the decimals handling in the <\/span><span style=\"font-weight: 400;\">M1: Oracle data validation <\/span><span style=\"font-weight: 400;\">issue were implemented properly (Revision 1.2).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Other issues are low-severity data validations, warnings and informational findings, which are recommendations rather than issues. The overall code quality and architecture are professional. The whole project is well documented and contains in-code NatSpec documentation and detailed comments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ackee Blockchain recommendes CoW Protocol:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to add oracle data validations<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to be aware of zero-address validations<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to unify syntax and naming<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to address all reported issues.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As of Revision 1.2, L1: Constructor data validation issue was acknowledged, all other issues were fixed.\u00a0<\/span><\/p>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>COW Protocol <\/i><\/b><b>audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-audit-reports\/blob\/master\/2023\/ackee-blockchain-cow-protocol-composablecow-extensiblefallbackhandler-report.pdf\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Cow Protocol<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CoW Swap is the first trading interface built on top of CoW Protocol. CoW Swap is a Meta DEX aggregator that allows you to buy and sell tokens using gasless orders that are settled peer-to-peer among users, or into any on-chain liquidity source while providing protection from MEV. Cow Protocol engaged Ackee Blockchain to perform a security review of the ComposableCoW &amp;&hellip;<\/p>\n","protected":false},"author":15,"featured_media":619,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,109,32,24,68,104],"class_list":["post-618","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-cow-protocol","tag-defi","tag-ethereum","tag-solidity","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/12\/COW_BLOG-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/12\/COW_BLOG-1-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=618"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/618\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/619"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}