独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

MoveBit Completes Security Audit for Concentrated Liquidity Protocol Aptos

Here are the main roles in the smart contract with their respective capabilities:

(1) Protocol Admin

(2) User

The security team adopted the “Testing and Automated Analysis” , “Code Review” and “ Formal Verification” strategy to perform a complete security test on the code in a way that is closest to the real attack. The main entrance and scope of security testing are in the conventions in the “Audit Objective”, and that can expand to the context beyond the scope according to the actual testing needs. The main types of this security audit include:

(1) Testing and Automated Analysis

Items to check: state consistency/failure rollback/unit testing/value overflows/parameter verification / unhandled errors/boundary checking/coding specifications.

(2) Code Review

The following are the SHA1 hashes of the last reviewed files.

(3) Formal Verification

Perform formal verification for key functions with the Move Prover.

(4) Audit Process

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Code Location: sources/partner.move, line 141

3. Some test cases failed

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Suggestion: Check whether the tick is in range, and abort if it's out of range.

Severity: Minor
Status: Fixed

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Suggestion: Adding the checks below.

Severity: Minor
Status: Fixed

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Code Location: sources/router.move, line 161

8. Some assertions can be optimized

Severity: Medium
Status: Fixed

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Suggestion: Put argument check assertions at the beginning of functions.

Severity: Medium
Status: Fixed

Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8

Code Location: sources/factory.move, line 123

10. Everyone can reset the initial price of a pool

Severity: Major
Status: Fixed

Commit: c867755da203332468a37535c45ed7a7a4bbc65a
Code Location: sources/pool.move, line 436

Suggestion: Don't let everyone call this function, just leave it to the admin of the pool.

11. The comments on functions are out of date

Severity: Minor
Status: Fixed

Commit: 25d115473799a9db777837553bd5e78bf88ca03a

Code Location: sources/router.move

Suggestion: Update the comments.

Severity: Minor
Status: Fixed

Descriptions: These two functions are very important to add liquidity, but they have 80% duplicated codes, which can be wrapped into a common function, and improve the code maintainability.

Commit: c867755da203332468a37535c45ed7a7a4bbc65a

Code Location: sources/pool.move

Suggestion: Refactoring these two functions, and wrapping the common codes into a new function.

Severity: Critical
Status: Fixed

Commit: c867755da203332468a37535c45ed7a7a4bbc65a

Code Location: sources/pool.move, 747

14. Gas cost is higher than other DEX

Severity: Minor
Status: Pending

15. utils::str optimization

Severity: Medium

Status: Fixed

Descriptions: The current implementation of utils::str is not optimized. It uses a pre-defined map to convert a u8 to a char and inserts the char into the index 0 of the string. This is very inefficient.
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Code Location: sources/utils.move, line 7

Suggestion: Refer the implementation below.

Gas cost comparison between strand str2:

16. Deploy smart contract without multi-sig

Severity: Medium
Status: Pending
Descriptions: The smart contract is not deployed under a multi-sig account. Operations performed with multiple signatures will provide greater security. Even if the loss of a single private key will not allow an attacker to gain access to the contract. Multiple trusted parties must approve the update at the same time, otherwise, it will not work.

Suggestion: Use a multi-sig account for the smart contract when deploying.

17. TODO labels still remain in the code

Severity: Minor

Status: Fixed

Commit: 25d115473799a9db777837553bd5e78bf88ca03a

Suggestion: Add more test codes to ensure the correctness of codes.

18. Position recalculation optimization

Severity: Medium

Status: Fixed

Commit: c867755da203332468a37535c45ed7a7a4bbc65a

Code Location: sources/pool.move, line 947

19. Dependency git rev should be a commit hash or a tag instead of a branch for reproducibility

Severity: Medium

Status: Fixed

Code Location: Move.toml

Suggestion: Use a commit hash or a tag instead of a branch for the dependency git rev.

20. The pool Coin Order Handle

There may be PoolId { CoinA, CoinB, TickSpacing0 } and PoolId { CoinB, CoinA, TickSpacing1 } in the Pools at the same time. It might be confusing for the users and inconvenient for the front-end developers in the future.

Commit: 25d115473799a9db777837553bd5e78bf88ca03a

Code Location: sources/factory.move, line 73

Summary of Findings

Feedback from Henry — Cofounder of Cetus:

Feedback from 0xYi — Cofounder of MoveBit:

In general, MoveBit as a security audit team focused on the Move ecosystem, always secure the assets of all users on the Move Ecosystem. The cooperation with Cetus to audit the centralized liquidity agreement on Aptos blockchain will not only assist Cetus to continuously meet the comprehensive needs of traders, liquidity providers, and growing DeFi users; but also It can more effectively accelerate the overall development of the Aptos blockchain, so as to realize the common vision of the Aptos blockchain — Become the mainstream blockchain in the future.

About Cetus
Cetus is a pioneer DEX and concentrated liquidity protocol focusing on Move-based ecosystems like Aptos and Sui. It’ll work as a crucial part of the ecosystem infrastructure to satisfy the comprehensive needs of traders, LPs, upper applications and an increasing DeFi population.

Cetus Social Media Platforms:

About MoveBit

MoveBit is a blockchain security company focused on the Move Ecosystem by pioneering the use of cutting-edge Formal Verification. The team consists of security professionals from academia and enterprise with 10 years of security experience. they were one of the earliest contributors to the Move ecosystem, working with Move developers to set the standard for secure Move applications and make the Move ecosystem the most secure Web3 destination

MoveBit Social Media Platforms:

Add a comment

What is your view?

Send

Related posts:

A Call

You grow me into a human Then push down for substitution Heeding your intuition For the sake of perturbation Watching us fall Like the earth had to crawl Away from our feet For you and me To end…

Gubuk Reyot

Aku berlari kecil menuju gubuk reyot yang terletak di pinggir jalan, dan duduk sebentar sampai hujannya reda. Biasanya payung selalu tersedia di totebag, tapi ini kenapa tidak ada? Sepulang kerja…

Manfaat Wisata Alam Bagi Kesehatan

Pariwisata adalah Perjalanan yang dilakukan oleh seseorang dalam jangka waktu tertentu dari sebuah tempat ke tempat lain dengan melakukan perencanaan sebelumnya, tujuannya untuk rekreasi atau untuk…