FLUIDKEY is a protocol that automates tasks on multiple blockchain networks. Using a modular architecture, the approved relay can trigger automated tasks with a safe module.
This system implements comprehensive security measures, including signature verification of the start of transactions and approval for all operations. The protocol infrastructure has been built to handle automated asset management work while maintaining strict security requirements.
methodology
Our review process combines automated analysis using the cord base awakening and manual review. I used Wake Testing Framework for testing purposes.
During the review, we paid special attention later.
- The arithmetic guarantee of the system is correct.
- Reinvision detection possible in the code;
- Access control is not too comfortable or strict.
- Confirmation of signatures;
- Write a comprehensive unit test using a wake -framework;
- We are looking for common problems such as data verification
range
The first audit was performed at Commit 6aca8f And there was that range src/FluidkeyEarnModule.sol
The second review was carried out for a given commit. 665108. The FLUIDKEY team solved all the issues reported in the previous revision.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. warning or Information provision Severe rating.
Our review results have emerged 9 DiscoveryIt ranges from information to seriousness. The most serious is H1, which explains possible playbacks on protocols. M1 is at risk of exceeding MAX_TOKENS Restrictions that lead to potentially unexpected behavior.
Threshold
There was no important serious problem.
The severity is high
H1: Cross chain regeneration attack vulnerability
Intermediate
M1: MAX_TOKENS By bypass restriction setConfig It leads to unintended module sustainability
Low severity
There is no problem with low severity.
Significance of warning
W1: Unidentified return value
W2: The empty configuration is possible by installing the module
W3: Event of misunderstanding deleteConfig
Information seriousness
I1: The variable can be immutable
I2: Instead of constant, the wrong use of immutable use
i3: Documents with misunderstandings
I4: Unnecessary external call
Trust model
The user must trust the safe module implementation in order to securely handle deposits and not include a vulnerability that can damage the funds. This protocol depends on the approved relay and starts an automatic deposit and requires trust in behavior and key management. The integrated ERC4626 vault must be trusted to properly manage deposit assets.
conclusion
AcKee Blockchain Security is recommended:
- Modify the MAX_TOKENS validation in the setconfig function.
- Implement the appropriate theorem during the removal of the module.
- Add the chain ID to the signing verification.
- Solve all other reports.
You can find the entire FluidKey audit report of AcKee Blockchain Security. here.
We were happy to be grateful for FluidKey and expect to work with them again.