Hacken
Audits
0x0
[SCA] 0x0 | Relayer Manager | Aug2024

0x0

Audit name:

[SCA] 0x0 | Relayer Manager | Aug2024

Date:

Aug 23, 2024

Table of Content

→Introduction

→Audit Summary

→System Overview

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the 0x0 team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

RelayerManager is a contract within the 0x0 project that manages and regulates relayers responsible for executing token transfers within the Arcane ecosystem.

Document
Name	Smart Contract Code Review and Security Analysis Report for 0x0
Audited By	Kornel Światłowski
Approved By	Przemyslaw Swiatowiec
Website	https://0x0.ai/→
Changelog	12/08/2024 - Preliminary Report; 23/08/2024 - Final Report
Platform	Ethereum
Language	Solidity
Tags	Signatures, Upgradable
Methodology	https://hackenio.cc/sc_methodology→

Document
Name
Smart Contract Code Review and Security Analysis Report for 0x0
Audited By
Kornel Światłowski
Approved By
Przemyslaw Swiatowiec
Website
https://0x0.ai/→
Changelog
12/08/2024 - Preliminary Report; 23/08/2024 - Final Report
Platform
Ethereum
Language
Solidity
Tags
Signatures, Upgradable
Methodology
https://hackenio.cc/sc_methodology→

Review Scope
Repository	https://github.com/0x0exchange/arcane→
Commit	46807d32150283a9007429c0f9f9e03990071694

Review Scope
Repository
https://github.com/0x0exchange/arcane→
Commit
46807d32150283a9007429c0f9f9e03990071694

Audit Summary

11Total Findings

11Resolved

0Accepted

0Mitigated

1medium

1low

9observation

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

Functional requirements have some gaps.
Technical description has some gaps.

Code quality

The development environment is configured.

Test coverage

Code coverage of the project is 95.31% (branch coverage).

Deployment and basic user interactions are covered with tests.
Negative cases coverage is missed.

System Overview

The RelayerManager contract manages and regulates relayers responsible for executing token transfers within the Arcane ecosystem. It enforces strict requirements, including token balance thresholds, to ensure only qualified relayers can operate. The contract allows for registering, activating, deactivating, and permanently disabling relayers, while also verifying signatures to ensure the authenticity of each transfer. It supports both single and multiple transfer modes and manages fees, which can be paid in tokens or ETH. The contract integrates with the Arcane contract to handle token transfers.

Privileged roles

The system uses OwnableUpgradeable library from OpenZeppelin to restrict access to key functions. The contract owner can:

Sets the arcane contract address
Sets the maximum number of relayers per owner
Withdraws ETH from the contract
Withdraws tokens from the contract

Risks

Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.

Scope Definition and Security Guarantees: The audit does not cover all code in the repository. Contracts outside the audit scope may introduce vulnerabilities, potentially impacting the overall security due to the interconnected nature of smart contracts.

System Reliance on External Contracts: The functioning of the system significantly relies on specific external contracts. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.

Findings

Code ―	Title	Status	Severity
F-2024-4869	The Usage of the Precompile ecrecover Can Lead to Signature Mailability	fixed	Medium
F-2024-5204	Possible Signature Replay Attack: Missing Chain Id In The Signature	fixed	Low
F-2024-5158	Missing Validation of Return Values in relayTransfer Function	fixed	Observation
F-2024-4873	Use of transfer() Instead of call() to Send Native Tokens	fixed	Observation
F-2024-4871	Missing Events For Critical Actions	fixed	Observation
F-2024-4867	Some Public Functions Should Be Declared As External	fixed	Observation
F-2024-4866	Redundant Imports	fixed	Observation
F-2024-4864	Missing Two-step Ownership Transfer Process	fixed	Observation
F-2024-4863	Development Libraries Import in the Production Ready Contract	fixed	Observation
F-2024-4861	Gas Inefficiency Due to Missing Usage of Solidity Custom Errors	fixed	Observation

1-10 of 11 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Severity	Description
Critical	Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
High	High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Medium	Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Low	Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Severity
Critical
Description
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
High
Description
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
Medium
Description
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
Low
Description
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details
Repository	https://github.com/0x0exchange/arcane→
Commit	46807d32150283a9007429c0f9f9e03990071694
Whitepaper	https://docs.0x0.ai/→
Requirements	README.md
Technical Requirements	README.md

Scope Details
Repository
https://github.com/0x0exchange/arcane→
Commit
46807d32150283a9007429c0f9f9e03990071694
Whitepaper
https://docs.0x0.ai/→
Requirements
README.md
Technical Requirements
README.md

Contracts in Scope

contracts

RelayerManager.sol - contracts › RelayerManager.sol

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Extractor by Hacken