Catalyst enables direct atomic swaps between different blockchains such as Ethereum, Cosmos, Optimism, and Eclipse, eliminating the need for bridged assets.
Catalyst’s incentive message escrow protocol acts as an abstraction layer between arbitrary message bridges and the applications that use them. It allows applications to send messages between chains in a trustless manner. The protocol is designed to be chain agnostic, so it can be used on any blockchain that is compatible with the EVM.
Catalyst engaged Ackee Blockchain to conduct a security review of the changes to the Generalised Incentives Protocol. The smart contracts were previously audited for a total of 10 engineering days of time donation between April 15, 2024 and April 26, 2024. The previous Catalyst audit summary covered revisions 1.0 and 1.1. This audit summary focuses on the methodology, findings, and recommendations for revisions 2.0 and 2.1.
methodology
We started our review using the static analysis tool Wake. We then looked deeper into the logic of the contract and used the Wake testing framework for cross-chain testing.
While the overall scope included a few minor changes to the contract, the main goal of the review was to ensure that the incentive message escrow protocol was properly integrated with LayerZero AMB.
range
Revised Edition 2.0
The audit was performed in commit bb8c4d9 and the scope included all of the following changes: Promotion #52 Up to commit bb8c4d9
Revised version 2.1
The review was performed on multiple commits across multiple pull requests.
- Issue W11 was fixed in PR#55 commit 040e175.
- Issue W12 was fixed in PR#54 commit 0d9f2ba.
- Issue I4 was fixed in PR#56 commit db0c96e.
Of the four findings, three were revised and one (W10) was upheld.
Here we present our research findings.
Critical severity
No serious problems were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
No low severity issues were found.
Warning Severity
W10: Non-standard use of LayerZero technology stack
W11: Invalid SPDX license identifier
W12: Unused code
Information Severity
I4: Typo
conclusion
Our review resulted in four findings ranging from informational to warning severity. The most likely impactful issue is the non-standard use of the LayerZero stack or W10.
Ackee Blockchain recommends Catalyst for:
- Consider changing your LayerZero integration design to a more standard approach or requesting a review from the LayerZero team.
- Correct typos in your documentation.
- Remove unused code.
- Addresses all other reported issues.
Ackee Blockchain’s full Catalyst audit report, which includes a more detailed explanation of all findings and recommendations, can be found here.
We are very pleased to acknowledge Catalyst and look forward to continuing our collaboration in the future.