prime protocol Users can deposit an asset on a supported chain and take out another asset loan backed by the entire asset portfolio. The scope of this audit was the wormhole path used to pass messages in the protocol.
Prime has partnered with Ackee Blockchain to conduct a security review of the Wormhole route in the Prime protocol with a total donation of time. Engineering 5 days in the period between January 9th and January 13, 2023.
methodology
We began our review using a static analysis tool called Woke. We then analyzed the contract logic in depth and used the Woke testing framework for cross-chain testing. During the review process, we paid special attention to the following:
- Ensure chain ID is translated correctly during cross-chain calls
- Ensure messages are not maliciously reproduced
- Detect possible reentrancy in your code
- Ensure access controls are neither too relaxed nor too strict
- I’m looking for common problems like data validation.
range
An audit has been performed on the commit. 5942f84 The exact scope was the following files:
- WormholeAdmin.sol
- WormholeEvents.sol
- WormholeModifiers.sol
- WormholeRoute.sol
- WormholeStorage.sol
result
Here we have our result.
critical severity
No critical severity issues were found.
Severity High
No high severity issues were found.
medium severity
M1: unlimited allowance
M2: Downcasting overflow
M3: Insufficient data verification
low severity
No low-severity issues were found.
warning severity
W1: Management function data verification
W2: Replay attack protection
W3: How to use Solc optimizer
Information Severity
I1: Missing NatSpec document
I2: There are too many similar function names.
I3: The ChangeAdmin function must fire an event.
conclusion
Our review yielded the following six findings: information to warning Seriousness.
we Prime is recommended for:
- Create a NatSpec document for easier review
- Addresses all other reported issues.
Ackee blockchain is full Early You can find the audit report with a more detailed description of all findings and recommendations. here.
We were happy to give our thanks. Early I look forward to working with them again.