Skip links
1inch logo

1Inch Audit | LimitOrderProtocol and FixedRateSwap updates

Introduction

CoinFabrik was asked to audit the contracts for the Limit Order Protocol and Fixed Rate Swap projects. First we will provide a summary of our discoveries and then we will show the details of our findings.

Summary

The contracts audited are from the LimitOrderProtocol repository at https://github.com/1inch/limit-order-protocol and the FixedRateSwap repository at https://github.com/1inch/fixed-rate-swap. The audit is based on the commits 9d118307df7acc3bcef73407f3964acd6aa0f35c and d05dc6d0a4e1d5fe1b8cb2a1a4d098b7e64cc30c respectively.

Contracts

The audited contracts include the following, plus their helper and libraries:

  • [fixed-rate-swap]/contacts/FixedRateSwap.sol: main contact implementing the fixed swap functions.
  • [limit-order-protocol]/contracts/LimitOrderProtocol.sol: main contract inheriting Limit Order and Limit Order RFQ functions.
  • [limit-order-protocol]/contracts/OrderMixin.sol: contract defining Limit Order functions.
  • [limit-order-protocol]/contracts/OrderRFQMixin.sol: contract defining Limit Order RFQ functions.

Analyses

We analyzed whether the code is secure, if best practices are met, and the logic for compliance with the protocol’s model.

The following analyses for typical vulnerabilities were performed:

  • Misuse of the different call methods
  • Integer overflow errors
  • Division by zero errors
  • Outdated version of Solidity compiler
  • Front running attacks
  • Reentrancy attacks
  • Misuse of block timestamps
  • Softlock denial of service attacks
  • Functions with excessive gas cost
  • Missing or misused function qualifiers
  • Needlessly complex code and contract interactions
  • Poor or nonexistent error handling
  • Failure to use a withdrawal pattern
  • Insufficient validation of the input parameters
  • Incorrect handling of cryptographic signatures

Severity Classification

Security risks are classified as follows:

  • Critical: These are issues that we manage to exploit. They compromise the system seriously. They must be fixed immediately.
  • Medium: These are potentially exploitable issues. Even though we did not manage to exploit them or their impact is not clear, they might represent a security risk in the near future. We suggest fixing them as soon as possible.
  • Minor: These issues represent problems that are relatively small or difficult to take advantage of but can be exploited in combination with other issues. These kinds of issues do not block deployments in production environments. They should be taken into account and be fixed when possible.
  • Enhancement: These kinds of findings do not represent a security risk. They are best practices that we suggest to implement.

This classification is summarized in the following table:

SEVERITY EXPLOITABLE ROADBLOCK TO BE FIXED
Critical Yes Yes Immediately
Medium In the near future Yes As soon as possible
Minor Unlikely No Eventually
Enhancement No No Eventually

Issues Found by Severity

Critical severity

No issues were found.

Medium severity

No issues were found.

Minor severity

No issues were found.

Enhancements

Incorrect Comment

The comment for func_301JL5R() is

// keccak256(“func_733NCGU(address,address,uint256,address,uint256,bytes)”) == 0x23b872dd (IERC20.transferFrom)

Which is incorrect. The hash value matches the new function. Correct to

// keccak256(“func_301JL5R(address,address,uint256,address,uint256,bytes)”) == 0x23b872dd (IERC20.transferFrom)

Conclusion

We found the contracts to be simple and straightforward and have an adequate amount of documentation. These contracts improve upon contracts which have been previously audited, only adding functionality in the case of Limit Order Protocol. No security issues were found.

Disclaimer: This audit report is not a security warranty, investment advice, or an approval of 1inch’s Fixed Rate Swap and Limit Order Protocol projects since CoinFabrik has not reviewed its platform. Moreover, it does not provide a smart contract code faultlessness guarantee.
This website uses cookies to improve your web experience.