• Hacken
  • Blog
  • Case Studies
  • Blockchain Protocol Audit For Radix Engine

Blockchain Protocol Audit For Radix Engine

4 minutes

By Malanii Oleh

Radix is a layer-1 network for Web3 and DeFi decentralized applications (dApps) and users. It seeks to create a scalable, secure-by-design, and composable DeFi platform through its Radix Engine application layer and its Cerberus consensus layer.

The Radix Engine has undergone a comprehensive security audit by Hacken, receiving the highest possible score of 10 out of 10. As a member of Hacken Partnership Network, Radix also enjoyed priority access to our leading L1/L2 Audit Team.

While the full report is available on our website, let’s explore this case in more detail.

Audit Objectives

The audit aimed to evaluate the Radix Engine’s security, code quality, documentation, and architectural integrity, ensuring it meets high standards for scalable DeFi development.

Radix Engine Overview

The core focus of the audit was the Radix Engine, the main execution component of the Radix layer-1 network. Built on WebAssembly Virtual Machine (WAVM), it offers a specialized environment for running dApps with a focus on DeFi use cases. Scrypto is an asset-oriented smart contract language to create dApps that execute within the Radix Engine. The engine uses well-defined finite state machines (FSMs) to control tokens and other assets, guaranteeing secure and predictable DeFi transactions.

In 2023, the engine’s WASM interface received a substantial update, providing a more refined low-level WASM API and improving its Scrypto function export signatures. This revision simplified Scrypto contract execution, aligning with the network’s objective of making DeFi dApp development more efficient and secure. The update also necessitated a third-party security review.

Methodology

Employing a comprehensive audit approach, Hacken’s premier L1/L2 Audit Team combined automated tools with manual testing to thoroughly assess the Radix Engine, ensuring a detailed and effective analysis. The audit scope covered a wide array of components and functionalities to guarantee the system’s security and efficiency:

  • Protocol Audit: In-depth examination of native blueprints, account and access controllers, resource management (including vaults, buckets, and proofs), package and transaction processors, consensus and validation mechanisms, and authentication practices. This comprehensive review included an analysis of attack scenarios such as permission escalation and auth bypass.
  • Costing and Limit Models: Review of costing and limits implementation to ensure resilience against attacks affecting liveness, finality, eclipse, and double-spending. This involved a detailed analysis of potential attack scenarios.
  • VM Engine: Evaluation of the VM implementation, including instruction sets and state transition mechanisms. The audit also reviewed common VM vulnerabilities and conducted attack scenario analyses focusing on gas, race conditions, stack, DoS, and state implosion risks.
  • Protocol and VM Tests: Extensive testing environment setup, including fuzz tests focused on resource invariants to identify vulnerabilities within the VM and protocol.

This meticulous methodology aimed to uncover and address potential vulnerabilities across the Radix Network, ensuring a secure and robust platform for DeFi applications.

The audit was conducted against the code state during development, prior to the mainnet release.

Audit Findings

A critical issue, namely a lack of 2nd resource address validation, was identified and fixed. Multiple instances within the resource blueprints allowed for interactions between two resources without confirming their identical type. A prime example was the put function in the fungible vault, which omitted a crucial check to ensure the Bucket’s resource type aligned with the vault’s. The Radix development team indicated the cause as a regression resulting from a refactor of the related code immediately before the audit began.

This oversight allowed for the possibility of depositing Buckets containing different token types into a vault designed for a specific token, leading to a potential unauthorized conversion of token types. For instance, a non-XRD token could have been wrongly inserted into an XRD vault, potentially enabling the unrestricted creation of new XRD tokens.

This vulnerability was marked with a critical severity level due to its implications for token integrity and system security. The recommendation was to implement strict validation checks during resource interactions to ensure the compatibility of resource types, alongside comprehensive logging and monitoring to detect and prevent such discrepancies.

There were also 2 low-severity issues, including an overflow in the compare_current_time function and a potential supply chain attack in Scrypto dependency management. All identified vulnerabilities were confirmed and fixed by the Radix team prior to their mainnet release. 

The full report is public and can be accessed at https://hacken.io/audits/radix/

Code and Architecture Quality

The Radix Engine audit report highlights exceptional code and architecture quality, each scoring a perfect 10 out of 10. The codebase is well-crafted, organized, and developer-friendly, featuring robust testing and adhering to best practices. The architecture is innovative, supporting an efficient and secure development environment, despite minor performance issues.

Follow @hackenclub on 𝕏 (Twitter)

Conclusion

The comprehensive audit of the Radix Engine by Hacken, which scored 10 out of 10, underscores the commitment to advancing blockchain technology safety and enhancing the security, code quality, and reliability of the Radix platform. This partnership between Hacken and Radix, marking Hacken as the first authority for Radix-based project audits, significantly boosts the Radix ecosystem’s security. This collaboration not only reinforces the robustness of dApps developed on Radix but also instills greater confidence among users and developers. It reflects Hacken’s deep expertise in Radix’s technology stack and its dedication to making Web3 safer, further advancing the industry and strengthening the partnership.

Subscribe
to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiast.в

Speaker Img

Table of contents

  • Audit Objectives
  • Methodology
  • Audit Findings
  • Conclusion

Tell us about your project

Follow Us

Read next:

More related
  • Blog image
    Decoded: KyberSwap Hack vs Extractor Prevention Mechanisms

    9 min read

    Case Studies

  • Blog image
  • Blog image
More related →

Trusted Web3 Security Partner