Wrapped Bitcoin (WBTC) Audit Completed

ChainSecurity has completed a security audit of the Wrapped Bitcoin project. The full report, including the scope of the audit and considered properties, is available here.

WBTC is an ERC20 token that represents Bitcoin as an (extended) ERC20 token on the Ethereum blockchain, where 1 BTC equals 1 WBTC token. The involved entities are at least one custodian (the current setup is tailored to exactly one) and multiple merchants. The whole system has in general two main tasks:

1. Minting WBTC:
   If a matching amount of BTC is locked at a custodian’s account (on the Bitcoin blockchain), the corresponding amount of WBTC tokens is minted (released) to the merchant (on the Ethereum blockchain).
2. Burning WBTC:
   When a merchant wants to convert his WBTC tokens back into BTC, he places a burn request (the specified amount of WBTC tokens are burned). If successful, the custodian sends the merchant the requested amount of BTC (on the Bitcoin blockchain).

To accomplish a Bitcoin-to-WBTC swap and back, a merchant sends BTC to a custodian. The custodian confirms that this merchant has deposited a certain amount of BTC on the Bitcoin blockchain. A matching amount of WBTC is then minted by a custodian and can be used by the merchant. Accordingly, if a merchant wants to swap back the WBTC to BTC, the merchant files a request to burn the WBTC. The custodian transfers the BTC back to the merchant, if the burning of the WBTC was successful.

Overall, the smart contracts request and record the transaction details on the Ethereum blockchain. Actual transactions of BTC are happening on the Bitcoin blockchain. Other tasks include managing (adding/removing) merchants and custodians.

Our audit investigated the code implementation issues arising from the management of merchants and custodians, as well as from the minting, transferring, and burning of the WBTC token on the Ethereum blockchain.

Overall, the ChainSecurity team found that Wrapped Bitcoin is a very well-coded smart contract with clean documentation. The full audit report is available at https://github.com/ChainSecurity/audits/raw/master/ChainSecurity_WBTC.pdf, detailing the specifications which have been checked by ChainSecurity. During the audit, we detected two security issues concerning (1) the pausing of the minting/burning process (2) and a possible hash collision. The hash collision was possible due to using abi.encodePacked() instead of abi.encode(). Chainsecurity also highlighted relevant trust assumptions arising from the overall system setup. WBTC addressed, acknowledged or fixed the raised issues. Therefore, ChainSecurity sees no remaining security issues in the current version.

About WBTC:
WBTC (Wrapped Bitcoin) will launch as a fully backed Bitcoin ERC20 token on Ethereum in January 2019. The initiative will bridge Bitcoin liquidity and the decentralized ecosystem on Ethereum, enhancing all decentralized applications. WBTC will allow the Ethereum network to be leveraged to enable new applications and use cases for Bitcoin.
WBTC is a community focused initiative and is the culmination of a long-standing joint effort relationship between BitGo, Kyber Network, and Republic Protocol. Prominent decentralized exchanges and financial projects, including MakerDAO, Dharma, Airswap, IDEX, Compound, DDEX, Hydro Protocol, Set Protocol, Prycto, RadarRelay, Blockfolio and Gnosis have all committed to support the adoption of WBTC and will participate as launch members.

For more information please visit https://www.wbtc.network/

About ChainSecurity:
ChainSecurity uses the most advanced tools straight out of the research labs at ETH Zurich, one of the best technical universities, to validate the correctness and uncover vulnerabilities in smart contracts. A thorough expert audit focuses on defining an exact functional specification, proves that it holds using formal verification tools and uncovers security, design and architecture issues in the analyzed code. Crypto projects rely on the detailed public audits by ChainSecurity to ensure top-grade security for their smart contracts and protocols.

Learn more about ChainSecurity at https://chainsecurity.com