References

With the uprise of blockchain and it’s distributed consensus possibilities, smart contract applications open up for a whole new category of security concerns which historically already have led to millions of financial losses. See for example the well known DAO hack, where 3.6 million ETH (USD 150 million) got stolen by the exploitation of a fallback function, the Parity Multi-signature Wallet Hack where an unknown hacker stole 150000 ETH, around $30 million at the time, by exploiting the delegate call and fallback function in the smart contract library for the multi-sig wallets or the incident where a user accidentally exploited a vulnerability in Parity’s smart contract library code freezing more than 513000 ETH, worth over USD 100 million. Once a contract has been immutably deployed on the blockchain, all of its functions are made to last for its eternity and especially when it comes to contracts handling financial assets, hackers and exploiters gain increased incentives, making it even more important to audit and review every single line of code, the cryptographic protocol design behind the interactions and if all requirements are correctly satisfied.

The work began with a requirement analysis to better understand the context and current state of the blockchain project. In a video call we assessed their needs and laid out strategic recommendations for their scenario. Upon audit agreement, the code was made accessible through a Git-repository and shared with our experts for initial feedback and first reviews. During the manual code review we found no critical flaws. We improved the readability of the contracts by suggesting further comments. Furthermore, we thoroughly analyzed the protocols' design and security. We found four weaknesses in the design, while none of them posed a critical problem that might allow a malicious participant to game the crypto-economic fairness of the protocol.