There are numerous internet based stages accessible for advancing yet a large portion of them are paid. More than 600 million kids and youths overall can’t accomplish least capability levels in…
Here are the main roles in the smart contract with their respective capabilities:
(1) Protocol Admin
(2) User
The security team adopted the “Testing and Automated Analysis” , “Code Review” and “ Formal Verification” strategy to perform a complete security test on the code in a way that is closest to the real attack. The main entrance and scope of security testing are in the conventions in the “Audit Objective”, and that can expand to the context beyond the scope according to the actual testing needs. The main types of this security audit include:
(1) Testing and Automated Analysis
Items to check: state consistency/failure rollback/unit testing/value overflows/parameter verification / unhandled errors/boundary checking/coding specifications.
(2) Code Review
The following are the SHA1 hashes of the last reviewed files.
(3) Formal Verification
Perform formal verification for key functions with the Move Prover.
(4) Audit Process
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Code Location: sources/partner.move, line 141
3. Some test cases failed
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Suggestion: Check whether the tick is in range, and abort if it's out of range.
Severity: Minor
Status: Fixed
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Suggestion: Adding the checks below.
Severity: Minor
Status: Fixed
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Code Location: sources/router.move, line 161
8. Some assertions can be optimized
Severity: Medium
Status: Fixed
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Suggestion: Put argument check assertions at the beginning of functions.
Severity: Medium
Status: Fixed
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Code Location: sources/factory.move, line 123
10. Everyone can reset the initial price of a pool
Severity: Major
Status: Fixed
Commit: c867755da203332468a37535c45ed7a7a4bbc65a
Code Location: sources/pool.move, line 436
Suggestion: Don't let everyone call this function, just leave it to the admin of the pool.
11. The comments on functions are out of date
Severity: Minor
Status: Fixed
Commit: 25d115473799a9db777837553bd5e78bf88ca03a
Code Location: sources/router.move
Suggestion: Update the comments.
Severity: Minor
Status: Fixed
Descriptions: These two functions are very important to add liquidity, but they have 80% duplicated codes, which can be wrapped into a common function, and improve the code maintainability.
Commit: c867755da203332468a37535c45ed7a7a4bbc65a
Code Location: sources/pool.move
Suggestion: Refactoring these two functions, and wrapping the common codes into a new function.
Severity: Critical
Status: Fixed
Commit: c867755da203332468a37535c45ed7a7a4bbc65a
Code Location: sources/pool.move, 747
14. Gas cost is higher than other DEX
Severity: Minor
Status: Pending
15. utils::str
optimization
Severity: Medium
Status: Fixed
Descriptions: The current implementation of utils::str
is not optimized. It uses a pre-defined map to convert a u8
to a char
and inserts the char
into the index 0 of the string. This is very inefficient.
Commit: e56d47667850dbc5a9553eddb0f67572e7c3c3b8
Code Location: sources/utils.move, line 7
Suggestion: Refer the implementation below.
Gas cost comparison between str
and str2
:
16. Deploy smart contract without multi-sig
Severity: Medium
Status: Pending
Descriptions: The smart contract is not deployed under a multi-sig account. Operations performed with multiple signatures will provide greater security. Even if the loss of a single private key will not allow an attacker to gain access to the contract. Multiple trusted parties must approve the update at the same time, otherwise, it will not work.
Suggestion: Use a multi-sig account for the smart contract when deploying.
17. TODO
labels still remain in the code
Severity: Minor
Status: Fixed
Commit: 25d115473799a9db777837553bd5e78bf88ca03a
Suggestion: Add more test codes to ensure the correctness of codes.
18. Position recalculation optimization
Severity: Medium
Status: Fixed
Commit: c867755da203332468a37535c45ed7a7a4bbc65a
Code Location: sources/pool.move, line 947
19. Dependency git rev should be a commit hash or a tag instead of a branch for reproducibility
Severity: Medium
Status: Fixed
Code Location: Move.toml
Suggestion: Use a commit hash or a tag instead of a branch for the dependency git rev.
20. The pool
Coin Order Handle
There may be PoolId { CoinA, CoinB, TickSpacing0 }
and PoolId { CoinB, CoinA, TickSpacing1 }
in the Pools
at the same time. It might be confusing for the users and inconvenient for the front-end developers in the future.
Commit: 25d115473799a9db777837553bd5e78bf88ca03a
Code Location: sources/factory.move, line 73
Summary of Findings
Feedback from Henry — Cofounder of Cetus:
Feedback from 0xYi — Cofounder of MoveBit:
In general, MoveBit as a security audit team focused on the Move ecosystem, always secure the assets of all users on the Move Ecosystem. The cooperation with Cetus to audit the centralized liquidity agreement on Aptos blockchain will not only assist Cetus to continuously meet the comprehensive needs of traders, liquidity providers, and growing DeFi users; but also It can more effectively accelerate the overall development of the Aptos blockchain, so as to realize the common vision of the Aptos blockchain — Become the mainstream blockchain in the future.
About Cetus
Cetus is a pioneer DEX and concentrated liquidity protocol focusing on Move-based ecosystems like Aptos and Sui. It’ll work as a crucial part of the ecosystem infrastructure to satisfy the comprehensive needs of traders, LPs, upper applications and an increasing DeFi population.
Cetus Social Media Platforms:
About MoveBit
MoveBit is a blockchain security company focused on the Move Ecosystem by pioneering the use of cutting-edge Formal Verification. The team consists of security professionals from academia and enterprise with 10 years of security experience. they were one of the earliest contributors to the Move ecosystem, working with Move developers to set the standard for secure Move applications and make the Move ecosystem the most secure Web3 destination
MoveBit Social Media Platforms:
You grow me into a human Then push down for substitution Heeding your intuition For the sake of perturbation Watching us fall Like the earth had to crawl Away from our feet For you and me To end…
Aku berlari kecil menuju gubuk reyot yang terletak di pinggir jalan, dan duduk sebentar sampai hujannya reda. Biasanya payung selalu tersedia di totebag, tapi ini kenapa tidak ada? Sepulang kerja…
Pariwisata adalah Perjalanan yang dilakukan oleh seseorang dalam jangka waktu tertentu dari sebuah tempat ke tempat lain dengan melakukan perencanaan sebelumnya, tujuannya untuk rekreasi atau untuk…