CoW Swap is the first trading interface built on the CoW protocol. CoW Swap is a Meta DEX aggregator that allows you to buy and sell tokens using gasless orders settled peer-to-peer between users or settled with on-chain liquidity sources, while providing protection from MEV.
cow protocol We performed a security review of ComposableCoW and ExtensibleFallbackHandler leveraging Ackee Blockchain, with total time donations as follows: 8 engineering days in the period between July 18th and July 28, 2023.
methodology
We use static analysis tools, namely wake up. We then took a closer look at the logic of the contract. For testing we wake up Test framework. During the review process, we paid special attention to the following:
- replay attack
- Signature Verification
- Payload manipulation
- Possible re-entry detection
- Verify that the system’s calculations are correct
- Accuracy of data encoding/decoding
- ERC-1271 compliance
- I’m looking for common problems like data validation.
range
The audit was conducted in the following scope:
A review has been performed on the specified commit. Revision 1.0:
- 27ec79b For ComposableCow
- 11273c1 For ExtensibleFallbackHandler
Revision 1.2 was done in the ComposableCow commit. bd2634dThe ExtensibleFallbackHandler commit has not changed since Revision 1.1.
result
Here we have our result.
critical severity
C1: StopLoss arithmetic mismatch
Severity High
No high severity issues were found.
medium severity
M1: Oracle data validation
low severity
L1: Constructor data validation
warning severity
W1: GPv2Order data tampering
W2: Revert condition mismatch
W3: Vulnerable MerkleProof library
W4: GoodAfterTime order is missing recipient address.
Information Severity
I1: Unnecessary SafeMath
I2: Missing cabinet organization
I3: Error in documentation
I4: Specify TradeAboveThreshold order recipient name
I5: mismatch error
I6: Commented code
I7: Inconsistent naming
conclusion
The review resulted in 14 findings ranging in severity from informational to critical. important issue C1: StopLoss arithmetic mismatch Modified according to our recommendations and M1: Oracle data validation The issue has been implemented correctly (revision 1.2).
Other issues include low-severity data validation, warnings, and informational findings, which are recommendations rather than issues. The overall code quality and architecture are professional. The entire project is well documented, with in-code NatSpec documentation and detailed explanations.
Ackee Blockchain recommends the CoW protocol.
- To add Oracle data validation
- Know about zero address verification
- To unify syntax and naming
- We resolve all reported issues.
As of revision 1.2, the L1: constructor data validation issue has been acknowledged and all other issues have been fixed.
Ackee blockchain is full COW Protocol You can find the audit report with a more detailed description of all findings and recommendations. here.
We were happy to give our thanks. cow protocol We look forward to working with them again.