Decent - 0xepley's results

🛠️ Analysis - Decent

Decent enables one-click transactions using any token across chains.

Summary

a) Overview of the Decent Project

Decent Project is an innovative blockchain initiative designed to address the challenges of interoperability and fluidity in transactions across multiple blockchain networks. At its core, Decent aims to simplify and streamline the process of executing transactions on various blockchains, enhancing the user experience in the decentralized finance (DeFi) and blockchain space. Here's an overview of its key aspects:

Key Features and Functionalities:

1. Cross-Chain Transactions: Decent facilitates seamless transactions across different blockchain networks. This capability is pivotal in a landscape where assets and liquidity are spread across various chains.

2. Swapping and Bridging Mechanisms: The platform integrates sophisticated swapping and bridging functionalities, allowing users to convert and transfer assets between different tokens and blockchains efficiently. This feature is crucial for users who engage in activities across multiple chains.

3. Fee Management: The platform incorporates an effective fee management system, ensuring that transactions are economically viable for users and sustainable for the platform's longevity.

b) Technical Architecture:

Decent's architecture is built around a set of smart contracts, each serving specific roles:

c) The approach I would follow when reviewing the code

First, by examining the scope of the code, I determined my code review and analysis strategy. https://code4rena.com/audits/2024-01-decent

Accordingly, I would analyze and audit the subject in the following steps;

d) Analysis of the code base

The most important summary in analyzing the code base is the stacking of codes to be analyzed. In this way, many predictions can be made, including the difficulty levels of the contracts, which one is more important for the auditor, the features they contain that are important for security (payable functions, uses assembly, etc.), the audit cost of the project, and the time to be allocated to the audit; Uses Consensys Solidity Metrics

• File: This field contains the name or path of the source file being analyzed.

• Logic Contracts: This field indicates the number of Contracts involves

• Interfaces: This field indicated specify the number or details of interfaces defined in the source file.

• Lines: This field represents the total number of lines in the source file, including code lines, comments, and blank lines.

• nLines: nLines typically stands for "normalized lines" and represents the total number of lines in the source file excluding blank lines.

• nSLOC: nSLOC stands for "normalized source lines of code," and it further refines nLines by excluding both blank lines and comments. It gives a more accurate measure of the code's complexity.

• Comment Lines: This field specifies the number of lines in the source file that contain comments.

• Complex. Score: This field may indicate a complexity score or metric for the source file.

Analysis of sloc of bridge_adapters contracts

Analysis of sloc of Swappers contracts

Analysis of sloc of decent_bridge contracts

Analysis of sloc of src contracts

Comment-to-Source Ratio:

Swappers contracts: On average there are 15.8 code lines per comment (lower=better).

bridge_adapters contracts: On average there are 14.91 code lines per comment (lower=better).

decent_bridge contracts: On average there are 7.96 code lines per comment (lower=better).

src contracts: On average there are 2.72 code lines per comment (lower=better).

Call Graph of Important Contracts

Call graph of swappers contract

Call graph of bridge_adapters contracts

Call graph of src contracts

Contract Integration Graph

High Level Domain Model

This domain model provides an overview of the key components and how they are interconnected.

Sequence diagram of Important functions

SwapAndExecute()

bridgeAndExecure()

e) Test analysis

Foundry Testing:

Foundry, a modern smart contract testing framework, was utilized to test the reNFT contracts. This involved several key steps:

a. Installation and Setup: - Foundry was installed using the command curl -L https://foundry.paradigm.xyz | bash, followed by foundryup to ensure the latest version was in use. - Dependencies were installed using forge installand pnpm i, ensuring all necessary components were available for the testing process. - Then to run the tests, I simply added the relevant files to the .env, referencing .env.example.

b. Execution of Tests: - Tests were run using forge test, executing a suite of predefined test cases that covered various functionalities and scenarios within the reNFT contracts. - A gas report was generated using forge test --gas-report. This report provided insights into the gas efficiency of the contracts, which is crucial for optimizing transaction costs on the blockchain.

c. Test Coverage and Documentation: - The overview of the testing suite, as referred to in the provided documentation, likely details the scope, scenarios, and objectives of each test, ensuring a comprehensive assessment of the contracts.

What did the project do differently? ;

• 1. It can be said that the developers of the project did a quality job, there is a test structure consisting of tests with quality content. In particular, tests have been written successfully.
• 2. Overall line coverage percentage provided by your tests : 75

What could they have done better?

• 1. If we look at the test scope and content of the project with a systematic checklist, we can see which parts are good and which areas have room for improvement As a result of my analysis, those marked in green are the ones that the project has fully achieved. The remaining areas are the development areas of the project in terms of testing ;

Ref:https://xin-xia.github.io/publication/icse194.pdf

• 2. Test Coverage of the protocol is around 75% which is very less, the recommended test coverage of any protocol is above 90% so it is recommended to increase the coverage to at least 90%

f) Security Approach of the Project

Successful current security understanding of the project;

1- The project hasn't underwent any audits(nothing stated in the docs), this innovative assessments on Code4rena is the first, where multiple auditors are scrutinizing the code.

What the project should add in the understanding of Security;

1- By distributing the project to testnets, ensuring that the audits are carried out in onchain audit. (This will increase coverage)

2- Add On-Chain Monitoring System; If On-Chain Monitoring systems such as Forta are added to the project, its security will increase.

For example ; This bot tracks any DEFI transactions in which wrapping, unwrapping, swapping, depositing, or withdrawals occur over a threshold amount. If transactions occur with unusually high token amounts, the bot sends out an alert. https://app.forta.network/bot/0x7f9afc392329ed5a473bcf304565adf9c2588ba4bc060f7d215519005b8303e3

3- After the Code4rena audit is completed and the project is live, I recommend the audit process to continue, projects like immunefi do this. https://immunefi.com/

4- Emergency Action Plan In a high-level security approach, there should be a crisis handbook like the one below and the strategic members of the project should be trained on this subject and drills should be carried out. Naturally, this information and road plan will not be available to the public. https://docs.google.com/document/u/0/d/1DaAiuGFkMEMMiIuvqhePL5aDFGHJ9Ya6D04rdaldqC0/mobilebasic#h.27dmpkyp2k1z

5- I also recommend that you have an "Economic Audit" for projects based on such complex mathematics and economic models. An example Economic Audit is provided in the link below; Economic Audit with Three Sigma

6 - As the project team, you can consider applying the multi-stage audit model.

Read more about the MPA model; https://mpa.solodit.xyz/

7 - I recommend having a masterplan applied to project team members (This information is not included in the documents). All authorizations, including NPM passwords and authorizations, should be reserved only for current employees. I also recommend that a definitive security constitution project be found for employees to protect these passwords with rules such as 2FA. The LEDGER hack, which has made a big impact recently, is the best example in this regard;

https://twitter.com/Ledger/status/1735326240658100414?t=UAuzoir9uliXplerqP-Ing&s=19

g) Codebase Quality

Overall, I consider the quality of the ReNFT protocol codebase to be Good. The code appears to be mature and well-developed. We have noticed the implementation of various standards adhere to appropriately. Details are explained below:

h) Other Audit Reports and Automated Findings

Automated Findings: https://github.com/code-423n4/2024-01-decent/blob/main/bot-report.md

Previous Audits There isn't any Previous Audit

4naly3er report https://github.com/code-423n4/2024-01-decent/blob/main/4naly3er-report.md

i) Full representation of the project’s risk model

Systemic Risks

Interoperability Issues: As a cross-chain solution, Decent relies heavily on the stability and security of other blockchains. Issues in connected networks can cascade into the Decent ecosystem.

Technical Risks

Smart Contract Vulnerabilities: Bugs or flaws in smart contracts can lead to loss of funds or malfunctioning of the platform.

Scalability Concerns: As transaction volumes grow, the platform must scale without compromising performance or security.

Integration Risks

Compatibility with Different Blockchains: Ensuring that Decent works seamlessly across multiple chains requires constant updates and monitoring of changes in those ecosystems.

Cross-Chain Security: Security inconsistencies across different blockchains can expose vulnerabilities in cross-chain transactions.

j) Packages and Dependencies Analysis 📦

k) New insights and learning of project from this audit:

After thoroughly reviewing the Decent project's codebase and documentation, several new insights and learnings have emerged.

1. Innovative Approach to Cross-Chain Interactions: Decent's utilization of a combination of bridging and swapping mechanisms to facilitate cross-chain transactions is a notable innovation. This approach addresses one of the most significant challenges in the blockchain ecosystem - the seamless transfer of value and interactions across different networks.

2. Fee Management and Optimization: The way Decent handles transaction fees, particularly in cross-chain contexts, provides valuable insights into cost optimization in blockchain applications.

3. Scalability and Extensibility: Decent's architecture, especially the use of adapter patterns for bridging and swapping, demonstrates a scalable approach to blockchain development. The ability to add new swappers and bridge adapters without overhauling the core system architecture allows for future extensibility.

Note: I didn't tracked the time, the time I mentioned is just an estimate

Time spent:

5 hours

Time spent:

5 hours