COW Flash Loan Router is an extension of the COW protocol that Trade Solver can run multiple flash loans before the trade agreement. The system is integrated with various loan providers through a dedicated adapter contract to allow sequential flash loans in the payment process.
COW conducted a security review of the COW protocol with a total donation of 5 days of 5 days in the period between March 17 and March 21, 2025, for AcKee Blockchain security. 1 Additional engineering days have been assigned to ensure high trust in connection with the integration of thanksgiving code with the COW protocol core.
Then COW conducted a review of the modification of the results in the previous revision in relation to AcKee Blockchain Security. There was no new discovery.
methodology
We have begun auditing by identifying potential attack vectors and trust models with a thorough analysis of contract logic. Then we used static analysis tools, including Wake, to check if there was a general problem.
During the review, we focused next.
- Assembly code does not have a logic error, including memory safety violations.
- Trade payment payments remain in tamper with modulation.
- Preventing re -creation attacks.
- Solver, tokens, lenders and borrowers cannot compromise user funds.
- ERC-3156 standard compliance;
- Correct usage of temporary storage; and
- Identification of general problems and gas optimization opportunities.
range
The audit was performed in the commit 930914f.
This range contains all SOLIDITY files in the SRC directory. src/vendored directory. The supplied file was considered only in terms of use in the code base, and the implementation was out of range.
The revision review was performed in a given commit. f9c1867. Three of the four results were fixed and the I2 was recognized as the exemption from the flash loan fee. There was no new discovery.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review has achieved four results, from information to warning seriousness.
The code showed excellent qualityThere are main results related to the improvement of code and gas optimization. Codebase is characterized by a comprehensive document, including a clear description of a warning and a code accuracy reasoning. System trust models, estimated use and security assumptions are thoroughly documented.
Three of the four results were confirmed in the FIX review and the I2 was recognized as a flash loan fee exemption. There was no new discovery.
Threshold
There was no important serious problem.
The severity is high
There was no important serious problem.
Intermediate
There was no important serious problem.
Low severity
There is no problem with low severity.
Significance of warning
W1: Event missing
Information seriousness
i1: Document error
I2: AAVE Flash Loan Call Optimization
i3: missing views in the interface
Trust model
The token interacts and the flash loan adapter and flash loan providers are trusted by trusting them from interfering with execution. These companies also trust that they do not abuse the full -scale execution opportunities to worsen the market conditions until the tolerance of slippage allowed to solve market conditions.
conclusion
ACKEE BLOCKCHAIN Security’s entire audit report can be found here..
We were very happy to be grateful for the cow and expect to work with them again.