At Origin, we take security very seriously. In particular, we are abundantly cautious with our smart contracts since they are the very core of our peer-to-peer marketplace platform and the security of our users financial transactions are at stake.
Our philosophy to smart contracts security is multi-pronged:
- Open-source. As the rest of our codebase, our smart contracts code is open-source. By doing so, we can leverage the community to alert us and help us quickly patch potential new security threats.
- Static code analyzer. Tools such as slither help detect known vulnerabilities and recommend best coding practices. While those tools can’t be relied on to catch all possible vulnerabilities, they provide a useful extra level of scrutiny.
- Peer reviews. Any pull request submitted to the Origin Protocol codebase must get a thorough review from a senior engineer on the project before it can get committed to the repository.
- Multi-sig. After deploying our smart contracts, we transferred their ownership to Gnosis multi-sig wallets. Now any changes to our smart contracts require digital signatures from multiple signers before they are executed. For our Marketplace contract, we use a 3 of 8 multi-sig which means it requires 3 out of 8 key holders to sign off on any changes. For our ERC-20 token contract where the stakes are even higher, we use a 5 of 8 multi-sig for even greater security. This gives us peace of mind that even if one of our key holders goes rogue or has their credentials compromised, the attacker would not gain the ability to alter our contracts.
- Internal audit. In addition to peer-reviewing the code while it was being developed, once our smart contracts were in their final stage of development we set aside time for doing an exhaustive internal security audit. We selected an engineer in our team who is security-minded but had not worked on implementing the contracts — so that he would come in with a fresh perspective.
- External audit. We checked references and interviewed several security companies before deciding to hire Trail of Bits to conduct an external audit of our smart contracts. Trail of Bits are highly respected not only within the blockchain world but also among the broader technical community.
Overall, this exhaustive audit found 11 issues of various severities (4 high, 4 medium, 1 low and 2 informational) and types (race conditions, access control, limitation in case of future upgrades, flaw in the logic).
Here are some interesting items that were uncovered and fixed as part of the overall audit process:
- There was a vulnerability whereby if a token with external execution capability (such as an ERC-223 token) would be used to pay for a listing on the marketplace, an attacker might have been able to withdraw more funds than deposed by re-entering the method withdrawOffer. This was addressed by refactoring the marketplace smart contract’s code to adhere more closely to the Checks-Effects-Interactions pattern.
- A subtle bug (this line was missing!) in the implementation of the withdrawListing method on the marketplace contact could have allowed an attacker to get refunded more than once the OGN deposit associated with their listing. This actually also ended up being a good validation of the quality of our auditing process since both the internal and external auditors caught the issue!
The complete external audit report is available from Trail of Bits and is also embedded below:
The work described in this article is a good illustration of our team’s commitment to providing a secure, trustworthy and delightful experience to all the users of our marketplace!
For reference, here are the addresses of the principal Origin Protocol contracts on the Ethereum Mainnet:
- Origin Token (OGN): 0x8207c1FfC5B6804F6024322CcF34F29c3541Ae26
- Origin Marketplace:
Learn more about Origin: