ConsenSys Diligence, a service that audits EDCCs (referred to as smart contracts) and Ethereum-based programs, recently published results for its audit of version two of the 0x project's smart contract system. The report lists 25 issues and provides recommendations for improving the project.
For those unfamiliar with 0x, it is a protocol that enables the decentralized exchange of tokens across the Ethereum blockchain. The system relies on relayers rather than exchanges to facilitate token trading. These relayers do not hold assets or execute trades like an exchange would, thus allowing participants to trade directly with their wallets.
The ConsenSys auditors focused on validating the security, resilience, and functionality of 0x's contract system based on its underlying specifications. Considering these factors, the audit involved identifying security-related problems within the contracts and their overarching system, evaluating the protocol's architecture according to smart contract best practices, and reviewing the quality and correctness of the source code. The audit's scope included smart contract files and test suites, excluding token-related contracts.
The audit team observed that, in general, the protocol is accompanied by well-written, comprehensive specification documents, including diagrams that visualize the system; it features well-commented code to better understand the intent of the developers; and it contains a thoughtfully consistent and organized contract repository.
Some of the updates included with version two introduced edge cases, resulting in a few critical issues with the system, but these have already been addressed. Of the 25 total issues identified with the protocol, 13 have been closed, leaving 12 left to resolve.
The problems listed by the auditors vary, ranging from outdated implementations to unclear code comments. However, five medium-severity issues relate to insufficient testing. The audit team noted that, overall, the protocol "lacks a rigorous testing strategy that ensures comprehensive test coverage." In fact, version two only includes testing for 70 to 80 percent of some of the system's contracts.
Besides resolving all the identified issues, ConsenSys Diligence recommends that 0x improve its testing strategy so that "any contract system … used on the main network [can] achieve 100% test coverage," though the team recognizes that 100 percent coverage "is not a silver bullet" for the protocol's problems.
Moreover, the auditors created a model to analyze potential threats to the smart contract system. Using this model, the team identified six threats, including the possibility of relayers being hacked and hackers publishing fake orders on the platforms' trading interfaces, as well as the potential for traders and relayers to lose all the ERC20 and ERC721 tokens they have approved. ConsenSys Diligence provided possible mitigation strategies to address these threats.
Like any blockchain protocol, 0x possesses various benefits and drawbacks. Audits like this allow engineering teams to recognize and resolve key issues with their projects and to proactively address any threats to their systems. The Ethereum community ultimately benefits from these reports, as they lead to a more robust and informed project development process across the board.
In related audit news, a blockchain protocol called bZx (which is integrated with 0x) was recently audited by the independent Ethereum auditor ZK Labs.