Certik Completes THORChain Audit
Certik.io has completed a full code-analysis of THORChain with no major issues found.
Certik
In January THORChain announced they had selected Certik as an audit partner to conduct a code review of THORChain.
Certik conducts rigorous security updates on blockchain protocols in order to find and address security issues. They have worked with many partners in the space and have a deep understanding of the industry
Code Review
Certik worked with THORChain to snapshot the codebase and then deconstruct it into its logical architecture. They then went line by line over the code in order to identify gaps in logic, attack entry points, unsafe handling of integers and more. Their objective was as follows:
Verify the soundness of the implementation, while ensuring its logic meets the specifications and intentions of [THORChain], underlying the linkage between RUNE’s utility as a token within THORChain’s … model for asynchronous inter-blockchain asset exchange — which is designed to give RUNE intrinsic value in the immediate term while serving the long term sanctity of THORNodes’ vaults via a tightly coupled liquidity/security mechanism — in order to:
provide an estimate of the overall security posture of the system;
evaluate the difficulty of system compromise from an attacker;
identify design-level risks to the security of the system;
identify implementation flaws that illustrate systemic and extrinsic risks;
provide recommendations for best practices that could improve THORChains’ security posture;
document architectural risks to the system in the form of a threat model and data-flow analysis of the prioritized system components;
provide a reference architecture that the community may use to evaluate the coverage of the security assessment, and to begin building a baseline of security relevant settings and considerations for the system.
Each week they reported back to THORChain with their findings and the team worked to address them, and even do running updates on the codebase to integrate feedback.
The Certik team found 34 issues in codebase, most minor, all of which were subsequently addressed by the team. There were no show-stoppers or issues that required radical changes to THORChain. Most were just minor code hygiene or optimisations.
Their summary:
CertiK found THORChain’s theoretical model, as well as its master-branch Cosmos SDK implementation, to be well-designed and executed cleanly, demonstrating a good command over relevant best practices. While CertiK cannot comment on the final mainnet performance of our clients’ end-products, the modeling and mathematical reasoning were determined to be sound overall.
The full report can be found at the following link:
https://github.com/thorchain/Resources/blob/master/Audits/4_20_2020_thor_report_final.pdf
Recommendations
The team found Certik to be a thorough, professional and prompt audit partner and make full recommendations for other projects to engage with them.
Next Audit
The team are still working with Gauntlet on the economic review, as well as Kudelski on the TSS audit. Updates will be provided in due course.
THORChain Community
To keep up to date with the project, please monitor community channels, particularly Telegram, Discord and Twitter:
- Twitter: https://twitter.com/thorchain_org
- Telegram Community: https://t.me/thorchain_org
- Telegram Announcements: https://t.me/thorchain
- Discord: https://discord.gg/V6pNp8A
- Reddit: https://reddit.com/r/thorchain
- Github: https://github.com/thorchain
- Medium: https://medium.com/thorchain
