Rockside Relayer Security: Smart Contract External Audit by Sekoia

Vincent Le Gallic
Sep 24 · 3 min read
Image for post
Image for post

At Rockside, we take security very seriously. In our new architecture, our users send Ethers to a Forwarder contract. Rockside pays the gas to relay transactions and is reimbursed by this Forwarder contract. This audit allowed us to validate 2 things that are absolutely essential for us:

  • Our users’ funds are secure.
  • The service is fair by design, Rockside can never be refunded more than the maximum price fixed by the users to relay their transaction.

We checked references of, and interviewed several security companies before deciding to hire Sekoia to conduct an external audit of our smart contracts. Sekoia is a French key player in cybersecurity. Sekoia is recognized internationally, a pure player and independent, with a solid expertise in Ethereum smart contract security.

The security report

The smart contract static and dynamic code analysis did not reveal any security vulnerabilities.

Here is a highlight of the 2 issues found thanks to the audit.

Privilege escalation (major)

Some privileged functions can be called by users calling them through the Rockside service. Normally only the owner of the Proxy contract have control on it, but a vulnerability allows API key users to have owner rights on the proxy.

Rockside Response: We moved the owners logic from the proxy, to implementation. So this is not on the responsibility of the proxy anymore. We also changed the logic for the forwarder. The forwarder itself is not owner anymore. We originally added the forwarder as owner so administration tasks such as changing the implementation of the forwarder can be done using MetaTx. Even if we thought the attack surface was limited, because only people having the Rockside API Key would be able to execute transactions from the forwarder, we decided to remove it.

SEKOIA Validation: The response is accepted and the fix is provided in this commit.

Code bad practice (significant)

Storage slots are used without being properly declared, leading to possible security impact in future development. In a proxy pattern, the storage slots of ‘Proxy.sol’ are used in the context of the code of ‘Forwarder.sol’, and both contracts must have the same storage layout. The storage layout is not explicitly declared and reserved in ‘Proxy.sol’, making ‘Forwarder.sol’ blindly using the storage slots that might be later used by ‘Proxy.sol’.

Rockside Response: We understand the risk as described but we decided to have a generic proxy that can work with any kind of implementations. Moreover, a generic proxy requires less gas to be deployed. We follow the proxy pattern as defined by openzeppelin as gnosis safe or argent contracts does. https://blog.openzeppelin.com/proxy-patterns
The Proxy source file will include the missing declarations as comments with an explanation to avoid misunderstanding in future developments.

SEKOIA Validation: The response is accepted and the fix is provided by this commit.

Read Sekoia’s full Rockside Relayer security audit report by Sekoia below.

Conclusion

In this new version of Rockside, our priority has been to build a reliable service for live applications on the mainnet. All our contracts are open source, tested and constantly reviewed internally. We write a minimum of solidity code and we try to make it as simple and readable as possible to guarantee a high level of transparency to our community. Finally, we systematically use standard libraries when possible. With the emergence of DeFi, financial transactions that go through our service are increasingly critical and being regularly audited by external teams is quite natural for us.

Thank you Sekoia “Red Team” for this collaboration and particularly to Bertrand from Sekoia Team for the quality of these recommendations.

Join the Rocksiders community :

Subscribe to our newsletter.
Try Rockside, visit our website
Follow us on Twitter.
Join our
Telegram
Join our Slack.

Rockside

The straightforward API for sending blockchain…

Thanks to Tangui Clairet and Aurélien

Vincent Le Gallic

Written by

CTO & Co-founder Rockside.io

Rockside

Rockside

The straightforward API for sending blockchain transactions. Like Stripe or Paypal for online payment, Rockside is a complete transaction platform engineered for growth.

Vincent Le Gallic

Written by

CTO & Co-founder Rockside.io

Rockside

Rockside

The straightforward API for sending blockchain transactions. Like Stripe or Paypal for online payment, Rockside is a complete transaction platform engineered for growth.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store