Unstoppable domain protocols allow the creation and management of domain in Solana blockchain. They can be the top domain and may have a two -stage domain. The second level domain is the form of an impossible token (NFT) issued to the user. Only one domain name can be circulated.
The unstoppable domain conducted a security review of the Web3 domain as a total time donation of 13 engineering days between April 1 and April 10, 2025 to participate in Ackee Blockchain Security.
Second, the revision review was conducted on April 24, 2025.
methodology
We started reviewing by understanding the design and architecture of the protocol. In this early stage, we collected all available information, including documents, web page functions and project intentions.
In the second stage, we performed a manual review and wrote a fuzz test side by side. This process helped to better understand the source code of the project by implementing a fuzz test. During the manual review, we will go deeper into the function of the code to support the thoughts and to test the accuracy of the guidelines at the same time.
At this stage we have paid special attention as follows:
- Program logic is implemented as intended.
- All program derivatives are derived correctly.
- There is no access violation.
- The protocol acts fairly.
- Cross program calls are implemented correctly.
- TOKEN-2022 Transmission Hook follows the standard.
- Architecture is right together. and
- There is no place to misuse the protocol.
The final stage consists of an immutable inspection. We used for fuzz testing trident Purging Framework. This framework is designed for fuzz test solar or program written using anchor framework. During pursing, we identified L1 problemRefunds of some guidelines arise in situations where education is a problem because of lack of privilege.
range
The first audit was performed at Commit ab4cecd
And the range is as follows:
- Unstoppable domain Solana contractExcluding external dependence
The revision review was performed in the Commit. 844296e
.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review led to nine discoveries, from information to seriousness. The most serious discovery L1 Written authority, which is an inappropriate refund, causes the possibility of education failure. All problems were fixed or recognized by the customer.
The second security review was limited to the problems found in the first security review, and no other code change was not appreciated.
Threshold
There was no important serious problem.
The severity is high
There was no important serious problem.
Intermediate
There was no important serious problem.
Low severity
L1: There is not enough mutation for a refund receiver
Significance of warning
W1: Step 2 domain can be blocked forever
W2: Losing potential ProgramAuthority
position
W3: expiration does not limit the second level domain update.
W4: The record value has not been completely overwritten.
W5: The top domain validation test is insufficient
Information seriousness
I1: Unnecessary space assignment Tld
account
I2: Unnecessary source code
i3: InitSpace macros can be used instead of the value.
Trust model
The protocol implements the role -based access control (RBAC) mechanism to some extent. The role is as follows:
program authority
Apart from the smart contract upgrade authorities, this is the highest privilege (e.g. appointment of a new miner).minter
-The new second level domain, domain metadata update, domain expiration modification, adds and removes records before mining the domain.
Users must trust.
program authority
Appoint a responsible mining.
conclusion
AcKee Blockchain Security recommends an unstoppable domain as follows.
- Solve all identified problems.
- Improves the verification of the top domain. and
- Step 2 Return the architecture after the expiration of the domain.
The entirely unstoppable domain audit report of AcKee Blockchain Security can be found here..
We were happy to be grateful for the unstoppable domain and I was looking forward to working again.