SMART CONTRACT SECURITY AUDIT FOR RAINBOW BRIDGE BY AURORA
The Rainbow Bridge is the official bridge for transferring tokens between Ethereum, NEAR, and the Aurora networks. The bridge is the product of Aurora, the Ethereum-compatible scaling solution built on NEAR.
You can use the bridge to move tokens between any of the three networks. Depending on the selected direction, bridging can involve one or two transactions.
We will describe in this case how we examined the security of smart contracts for the Rainbow Bridge protocol. Our task was to find and describe any security issues in the smart contracts of the platform.
ABOUT THE PROJECT
During the audit, the Blaize.Security team has audited both Solidity (Ethereum) and Rust (Near) parts of the Rainbow Bridge protocol. The audited smart contracts you can find in a repository. Also, here is the last-audited commit: a40537036d12ede147753c6b2487f27fad9af28d.
Security team checked the part of the protocol responsible for funds bridging from the Near side to the Ethereum blockchain.
The Solidity part of the protocol consists of the Bridge Factory, Bridge tokens, and ERC20 locker contract. There is also an additional Proof consumer contract, which validates all the proof necessary for bridging tokens between networks.
Token contracts are upgradable, and their logic can be changed in the future. The Blaize Security team has also prepared its own set of unit-tests to ensure the correctness of the logic of Solidity contracts.
The Rust part of the report refers to the contract on the NEAR side, which is responsible for the native tokens transfer between blockchains. The contract can receive NEAR native tokens via any ERC-20 (NEP-141) token and generate a lock event for a third-party node. Though the audit of the 3rd party elements (the worker that proceeds with events processing) is out of the scope, the team of auditors has also conducted additional testing to check the system as a whole. Thus, the team has prepared a set of simulation tests and has conducted several runs of manual exploratory testing over the contracts deployed on local testnets.
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the Rainbow Bridge protocol with the following parameters:
- Whether contracts are secure on both sides of the bridge;
- Whether the implemented functionality corresponds to the documentation;
- Whether contracts meet best practices in efficient use of gas and code readability.
- Whether the bridge flow is safe for users.
We have scanned both sets of smart contracts for commonly known and more specific vulnerabilities:
- Unsafe types conversion and unsafe math;
- Timestamp Dependence;
- Reentrancy (for Solidity part);
- Correct roles distribution and access control flow;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- DoS attacks with (Gas Limit, unexpected reverts, storage abuse, etc.);
- Byte array vulnerabilities;
- Style guide violation;
- ERC20 standard correspondence and correct tokens usage;
- Uninitialized state/storage/ local variables;
In addition, the Rainbow Bridge protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review and decomposition of the system;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
Read more about DeFi Hacks in 2022 or look at the recently described Title Deeds CEX Smart Contract Audit here.
AUTOMATED TOOLS ANALYSIS
The auditors scanned the contract with several publicly available automated analysis tools with the manual verification of all the issues detected with these tools.
MANUAL CODE REVIEW
The Blaize.Security team made a manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
The scope of the audit includes the extensive testing of the system, which is based on the smart contracts code, documentation, and requirements presented by the Rainbow Bridge team. The final coverage for the Solidity part is calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies. Near part of the tests is calculated with the tarpaulin coverage tool and includes all manual exploratory tests as well. Also, it needs to be mentioned that in order to ensure the full security of the contract, the Aurora team has the Immunefi bug bounty program running. It encourages further active analysis of smart contracts.
SECURITY ANALYSIS REPORT
Finally, we have provided to the Rainbow Bridge team the smart contracts security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the Rainbow Bridge team.
FIND OUT MORE ABOUT THE SECURITY SERVICES AND REQUEST FREE AUDIT ESTIMATION.
As we mentioned before, the Blaize.Security team has audited both Solidity and Rust parts of the Rainbow Bridge protocol. There were no critical issues found during the audit in Solidity part. There were one high and several low-severity issues found in the contracts.
The high-severity issue was connected with the ability of the admin of the ERC20 locker contract to withdraw any tokens from the contract. According to the team, such functionality is necessary for the contract, and the role of the admin will be granted to a multi-signature wallet to ensure the better safety of the funds. All other issues were verified or fixed as well.
The overall security of the Solidity contracts is high enough. Contracts are well-written and tested by the Rainbow Bridge team.
The Rust part of the audit contains findings connected with incorrect withdrawal processing, several best practices violations, and unclear functionality. The Rainbow bridge team has verified and resolved all of the issues.
Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Rainbow Bridge protocol can be evaluated as Highly Secure, 9.6 out of 10.
See the complete list of found vulnerabilities and recommendations about their improvements in this document:Rainbow-Bridge-audit-report-_compressed