Source Code and Security Audits with Trail of Bits

We have two exciting announcements! The first is that the source code to the Ampleforth protocol is now fully open. Pull it, poke around, and let us know what you think. The second is that we’ve completed two independent security audits. We’ve published both of them, along with the actions we took in response.

“But why, some say, the moon? … Why, 35 years ago, fly the Atlantic? Why does Rice play Texas? “ — JFK

Ampleforth is Open Source

The following repos include all the core components to the system: the ERC-20 token, the monetary policy, and the market oracle. We’ve also included all the tools needed to develop and test the system.

Note that uFragments was the working name of Ampleforth and is still used in much of the codebase.

https://github.com/ampleforth/uFragments
https://github.com/ampleforth/market-oracle
https://github.com/ampleforth/frg-ethereum-runners
https://github.com/ampleforth/uFragments-security-tests

Security Audit

If you want a deep dive, you can read both audit reports and also the full breakdown of the engineering team’s actions to address them here. They’ll make the most sense once you’ve familiarized yourself with the codebase.

Anyone who’s seen the movie Office Space will understand the importance of solid arithmetic in financial applications. Any kind of loss of precision or rounding error can result in loss of funds from users. We wanted to be absolutely sure that this wouldn’t happen. (At least as sure as you can be about any software system.)

We expected the greatest risk for Ampleforth to be around numerical stability–like rounding errors or overflows in arithmetic–and upgrades. We’re happy to report that neither of the audits discovered issues with these core concerns.

On October 10th, 2018 we requested a one-week security audit from SlowMist. SlowMist found no vulnerabilities over the course of their audit.

Later, we requested a second audit from Trail of Bits. This was done with two of their engineers from Nov 5th to 20th. Earlier, we had felt there must be something to find… and Trail of Bits identified four low-severity issues and no high- or medium-severity issues.

Property-Based Testing and Formal Verification

On top of the basic security audit duties, Trail of Bits provided a custom Echidna testing harness for the ERC20 token and custom Manticore scripts. We have added them to this sibling repo. These serve to broaden our 100% unit test coverage and integration tests of the smart contracts with fuzz testing and symbolic execution tools. Thank you, Trail of Bits!

About the Auditors

SlowMist has completed audits for many projects in the blockchain space including OKEX, Huobi Security, imToken, and TrueUSD.

Trail of Bits has been around since 2012, predating most blockchain projects. They’re members of the Enterprise Ethereum Alliance, and have conducted security reviews for the likes of MakerDAO and Parity’s Ethereum client. Outside the blockchain space they’ve worked with high-profile groups like Facebook and DARPA. Needless to say, all of us on the engineering team were eager to work with such a respected and experienced group.

Thanks again to Trail of Bits and SlowMist for their detailed analysis of the Ampleforth protocol. With their help, we’re another step closer to bringing a truly fair and independent money to the world.

Our Actions and Considerations

We’ve chosen a few of the more interesting items to include below. Warning: we’re getting technical now! It will make the most sense after familiarizing yourself with the code and the audits themselves. And don’t forget — the full report is here.

Rebase will fail if no market sources are fresh

Previously, if no market sources were fresh the rebase operation would cause a revert with no change to the token supply. While the end result of this revert on the token supply was considered correct behavior, we did make two small code changes [#100, #34].

With these changes, both no fresh sources and no trade volume are considered valid conditions (hopefully ones we never encounter). Instead of rebase failing with no supply adjustment, rebase will now run to completion with no supply adjustment. This is a small conceptual change, but it does allow writing to the event logs that a null rebase occurred. In the process, we also added a configurable hyperparameter for minimum required volume before any supply adjustment is made.

Malicious or erroneous MarketSource can break rebasing

A malicious market source, which has also gained whitelisted status, can cause an integer overflow in the calculation of the volume-weighted average in the oracle aggregator by supplying fake data with very large values. If this happens, rebase will fail with a revert and no adjustment to the token supply will be made. If a malicious market source continues to supply such a value, it can result in a denial-of-service attack on the monetary policy until it’s removed from the source whitelist.

After some discussion, the Ampleforth team decided to take no immediate action. The fundamental issue is that the oracle relies on a whitelist of sources authorized to provide data — fixing an overflow with an input restriction still would not have changed this. Adding a maximum allowable value independent of the number of sources combined in the calculation would have either been arbitrary or overly limiting.

Truly decentralized oracles are the best approach long term, but they’re still highly conceptual and not ready for a high stakes, adversarial environment. We’re keeping a close eye on this space, and are considering migrating to external oracle infrastructure at some point, like Chainlink. It’s worth noting that other prominent projects also use whitelisted sources, including for example MakerDAO and Compound.

Rebase predictability may make μFragments a target for arbitrage

Ampleforth would like to encourage as much arbitrage as possible, actually! This helps the market converge on the true price.

It’s important to keep two things in mind. First, that price is determined by the actors in the market, not by the protocol directly. And second, that prices do not instantaneously react after a rebase operation executes.

Market actors will always be able to view public markets and blockchain state, and price these data into their trades even in advance of rebases. We have a forthcoming dashboard that will make all the relevant onchain data available to every trader everywhere.