Open in app

Sign in

Write

Sign in

СoW Protocol: ComposableCoW & ExtensibleFallbackHandler audit summary

Aleksandra Yudina
Ackee Blockchain
Published in
2 min readDec 15, 2023

CoW Swap is the first trading interface built on top of CoW Protocol. CoW Swap is a Meta DEX aggregator that allows you to buy and sell tokens using gasless orders that are settled peer-to-peer among users, or into any on-chain liquidity source while providing protection from MEV.

Cow Protocol engaged Ackee Blockchain to perform a security review of the ComposableCoW & ExtensibleFallbackHandler with a total time donation of 8 engineering days in a period between July 18 and July 28, 2023.

METHODOLOGY

We began our review by using static analysis tools, namely . We then took a deep dive into the logic of the contracts. For testing, we have involved testing framework. During the review, we paid special attention to:

  • replay attacks
  • signature validation
  • payload manipulation
  • detecting possible reentrancies
  • ensuring the arithmetic of the system is correct
  • the correctness of encoding/decoding data
  • ERC-1271 compliance
  • looking for common issues such as data validation.

SCOPE

The audit has been performed on the following scope:

The review was done on the given commits Revision 1.0 :

Revision 1.2 was done on the ComposableCow commit bd2634d , the ExtensibleFallbackHandler commit was not changed since Revision 1.1.

FINDINGS

Critical severity

C1: StopLoss arithmetic mismatches

High severity

No high severity issues were found.

Medium severity

M1: Oracle data validation

Low severity

L1: Constructor data validation

Warning severity

W1: GPv2Order data tampering

W2: Revert conditions inconsistency

W3: Vulnerable MerkleProof library

W4: GoodAfterTime order is missing the receiver address

Informational severity

I1: Unnecessary SafeMath

I2: Missing cabinet cleanup

I3: Errors in the documentation

I4: TradeAboveThreshold order receiver naming

I5: Inconsistent error

I6: Commented-out code

I7: Inconsistent naming

CONCLUSION

Our review resulted in 14 findings, ranging from Informational to Critical severity. The critical issue C1: StopLoss arithmetic mismatches has been fixed according to our recommendations, and the decimals handling in the M1: Oracle data validation issue were implemented properly (Revision 1.2).

Other issues are low-severity data validations, warnings and informational findings, which are recommendations rather than issues. The overall code quality and architecture are professional. The whole project is well documented and contains in-code NatSpec documentation and detailed comments.

Ackee Blockchain recommendes CoW Protocol:

  • to add oracle data validations
  • to be aware of zero-address validations
  • to unify syntax and naming
  • to address all reported issues.

As of Revision 1.2, L1: Constructor data validation issue was acknowledged, all other issues were fixed.

Ackee Blockchain’s full COW Protocol audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Cow Protocol and look forward to working with them again.

Originally published at https://ackeeblockchain.com on December 15, 2023.

Blockchain
Smart Contract Blockchain
Smart Contract Security
Cybersecurity
Solidity

--

--

Aleksandra Yudina
Ackee Blockchain

Written by Aleksandra Yudina

7 Followers
Writer for

Web3 enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams