My prior Audit experience has been a few independent audits of C4 contests that I didn’t have a good approach to going about auditing and as a result of that did not really see any success. I got in contact with Owen and he offered me to join them on a shadow audit of GMX without much knowledge of GMX. I said “Sure, let’s do it!” little did I know a mountain was in front of me.
The approach that I have been adopting is starting in the same way a user would interact with the code base. Here is a video explaining the approach that I have adopted. I found it helpful to record myself going over the code and saying out loud what each line of code was doing. It was great that I was able to re-watch to see some of the aspects that I needed to put more time into.
At the start of the audit, we went over a few functions together so that I could get some insights into how professionals navigate a Large code base, A large takeaway I had from this was before reading a function think to yourself what do I want this function to achieve and if it does what I think it will what would be ideal knobs that an attacker could manipulate.
Outside of going through functions with my fellow auditors, I knew that I was going to have to focus and gain as much context as I possibly could.
The Audit
After a few days of intensely studying the code before I made the mistake of trying to PoC an issue that could have been avoided had I just written it down and kept reading the code. luckily I had an amazing team that put my idea to a swift demise.
In the meantime, we came up with a potential attack and it seemed feasible but another obstacle appeared in my path how was I going to write a PoC for this issue with minimal testing experience, I had never written a PoC in hardhat up to this point and I was struggling for a full day before I asked one of my fellow auditors for assistance within 1 hour I had a much clearer approach on how to do the PoC, I used a whole day to write the PoC and finally got it to work (I thought) In reality my attack order was getting canceled and I didn’t know, again I ask the team for assistance and they were able to get everything sorted and working. I now not only found my first critical vulnerability ORDU-1 in the report I also wrote my first PoC (Partially). I was fired up and ready to dive back into the GMX code.
1 week into the audit I felt like I was still at the foot of the mountain, I had gotten a solid high-level view of how everything was structured and it was time to start climbing. I started looking at how fees worked and at first glance, everything looked fine, I wanted to test it anyway just to make sure I didn’t miss anything, and sure enough, I did there was a sizeable gap between the fees that were being paid and the fees that were claimable MKTU-2 in the report I had already made the PoC by testing it, all that was left to do was clean up the PoC and get it reviewed by another auditor.
During this time I also quickly realized that it didn’t matter how much I just wanted to keep digging into the code, I found myself getting stack do deep errors in person, and taking a small break could help a lot it didn’t have to be a long break just get up and get some water with a bit of fresh air helped me process the information that I just gathered.
After 2 weeks of scaling the GMX mountain, I was starting to get a good understanding of how everything interacted. During this time I was able to find 2 simple mediums GLOBAL-7 in the report and ORDH-4 in the report with the help of my fellow auditors and some creative thinking.
The audit is now nearing its conclusion and while I was testing some edge cases for funding fees I found them off once again. Given there wasn’t a lot of time left I asked Danny to help me locate and validate the issue and we got to work quickly and figured out that there are again more claimable fees than being paid this time due to truncation MKTU-6 in the report. This was probably my favorite finding of the entire audit, the finding is split into two issues truncation and an edge case rounding error.
I felt like we had finally reached the top of the mountain and the only thing that was left to do was write the report. There is no doubt in my mind that a large role in why I was able to find success in this audit was due to the fact that I had some amazing people to vocalize my ideas to and get information from. Almost every day the team would get together and bounce ideas off each other and confirm our understanding of interactions in the code. We found a ton of issues by doing this. You can read the full report here.
Guardian provides an amazing model that is pay per vulnerability that incentives the auditors to do a better job and minimizes costs for clients in cases where not many bugs are present or found.
It can’t be understated how great this whole experience has been. If you haven’t already, join the solidity labs discord see you there😉
Feel free to reach out to me if you have any questions and I’ll be happy to elaborate on anything or just connect with more people!
