SMART CONTRACT SECURITY AUDIT FOR 1INCH

The 1inch Network is built on several decentralized applications (dApps) that are integrated into a single ecosystem. Applications run on the Ethereum blockchain, allowing the use of smart contracts and ERC20 tokens. At the same time, 1inch protocols support multi-chain architecture: they work with Binance Smart Chain (BSC), Polygon Network, Optimistic Ethereum, and Arbitrum.
The project uses unique liquidity and aggregation protocols that accelerate the operation of the market. Developers created their own gas-token, which reduces transaction fees.
ABOUT THE PROJECT
Blaize has performed the security audit of 1inch Limit Order smart contracts. It is one of three protocols that forms the basis of 1inch. The audit of Limit Order smart contracts is highly important because the Limit Order Protocol is a tool protocol for interacting with the market through buy-sell orders with specific stop price (upper or lower). It is a traditional market instrument that is gas-optimized by 1inch protocol. It can be used to display a stop-loss, a sliding stop order, or make an auction order. In general – 1inch brings the traditional stocks market instrument into the decentralized world. Remarkable that the 1inch Limit Order Protocol successfully crossed $2B in total trading volume in November, 2021.
MAIN REQUIREMENTS
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the Limit Order smart contracts with the following parameters:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract meets best practices in efficient use of gas, code readability.
So contracts were checked against the following set of commonly known and more specific vulnerabilities during the 1inch code audit:
- Unsafe type inference;
- Timestamp Dependence;
- Reentrancy;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/
- local variables;
- Compile version not fixed.
Also, Limit Order smart contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Check for code consistency whether the contract corresponds to the documentation;
- Checks against the standard list of vulnerabilities we have mentioned above;
- Static analysis by automated tools;
- Manual code analysis and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Creation of own set of unit-tests for the full coverage;
- Security analysis report delivery;
- Post-audit fixes review.
You can find more info about Smart Contract Security Audit procedure or take a look at the thoroughly described PeakDeFi Smart Contract Audit here.
AUTOMATED TOOLS ANALYSIS
Automated code analysis implies using different open-source software for bug detection. In the case of 1inch smart contract audit, Blaize’s team scanned contracts with several automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. We often conduct several testing processes in parallel to ensure the best bug verification.
Automate testing helped to define which part is responsible for each input execution and showed the possible places for bugs occurring. The automated analysis was followed by the manual verification of all the issues found with tools.
MANUAL CODE REVIEW
The manual code analysis implies a thorough examination of each code line by an auditor. Manual testing is needed to analyze the previously found vulnerabilities and check the operational work of smart contracts in general.
Manual code examination is highly recommended for an exploratory check of vulnerabilities hidden not in the code itself, but in contract logic or architecture. This type of verification is based on auditor expertise and experience with complex smart contracts’ systems.
In the case of 1inch audit, Blaize’s team performed the manual analysis of smart contracts for security vulnerabilities and also checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
As part of the analysis, we checked 1inch’s unit tests set. Also, Blaize’s team has written their own unit tests set for full coverage and carried out several rounds of testing with alternative test scenarios on edge cases.
SECURITY ANALYSIS REPORT
In the end, we have provided 1inch with smart contracts’ security analysis report. The document contains all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.
GET TO KNOW MORE ABOUT OUR BLAIZE SECURITY SERVICES
AUDIT RESULT
According to the assessment, the 1inch’s smart contracts have no critical security problems and overall quality of the code is high and the functionality is well-documented and optimized. All unclear or suspicious functionality was verified with 1inch team and fully covered with additional tests.
Therefore, according to the above-listed rules, the overall security of the smart-contracts system of 1inch Network can be evaluated as Highly Secure, 9.9 out of 10.
See the full list of found vulnerabilities and recommendations about their improvements in this document:
Limit-Order-Smart-Contract-Audit