Case Study: AuditOne’s Audit of Aurora Fast Bridge Smart Contracts

About Aurora

Aurora is a solution that enables the execution of Ethereum contracts on NEAR blockchain, a modern, fast, scalable, and carbon-neutral layer-1 blockchain that finalizes transactions in 2-3 seconds. Aurora is an Ethereum Virtual Machine (EVM) implemented as a smart contract on NEAR Protocol. They are working to expand the Ethereum ecosystem, enabling developers to run their apps on an Ethereum-compatible platform that is highly scalable, future-proof, and with low transaction costs for users. Aurora offers a development experience similar to Ethereum 1.0 but with faster speeds and greater scalability, similar to a layer-2 solution.

What type of smart contracts we have audited

AuditOne has a longstanding relationship with Aurora and has helped secure and provide ongoing security for many of their smart contracts. Having reviewed the NEAR plugins, which are implementations of common patterns used for NEAR smart contracts, we have focused on the Fast Bridge, a one-way semi-decentralized bridge created to speed up transfers from Near to Ethereum. 

Key Audit Information

Type: Bridge

Language: Rust

Ecosystem: NEAR and Ethereum networks

Methods: Manual Review

Repository: https://github.com/aurora-is-near/fast-bridge-protocol/

Website: https://aurora.dev/

Submission Date: 01-03-2023

Finishing Datee: 09-05-2023

Audit Report: https://www.auditone.io/audit-report/aurora

‍

The Fast Bridge is an innovative solution that expedites token transfers between the NEAR and Ethereum blockchains, significantly reducing transfer times from several hours to just minutes. A combination of specialized smart contracts and off-chain services work together to achieve this:

• NearFastBridge Contract (NEAR Side): This contract locks tokens and fees when a user initiates a transfer. It generates a FastBridgeTransferEvent containing details like nonce, validity period, transfer specifics, and fees.

• EthereumFastBridge Contract (Ethereum Side): This contract executes the transfer of tokens to the recipient on the Ethereum network and logs these events, ensuring transparency and traceability.

• LP-Relayer (Liquidity Provider Relayer): This entity operates off-chain and is responsible for processing transfers once it receives the FastBridgeTransferEvent. This entity executes the transfer on the Ethereum side and later offers evidence of the transaction to the NearFastBridge contract. Once the proof is verified, the entity receives the locked funds and fees.

Audit Process at AuditOne

AuditOne's audit process begins with a virtual kickoff meeting between the project and auditing teams, setting the stage for a collaborative and aligned approach. Following this, the lead auditor, chosen for their specific abilities and expertise, spearheads the process, ensuring that each audit is guided by top-notch knowledge. The codebase then undergoes automated audits, leveraging advanced technology to enhance efficiency and thoroughness. This is complemented by independent manual audits conducted by each of the auditors separately, allowing for diverse perspectives and in-depth scrutiny of the code.

The auditors report issues on a private GitHub, fostering a transparent and collaborative environment for issue tracking and resolution. They then meet to discuss their findings, combining their individual insights for a more comprehensive analysis. The lead auditor compiles these findings into a preliminary report, meticulously reviewed by the AuditOne team before being sent to the project. The project team addresses the raised concerns, with auditors confirming that the revisions have not introduced new issues. Finally, AuditOne examines the final report prepared by the lead auditor, ensuring its accuracy and completeness before delivering it. This multi-tiered process, characterized by its combination of collaborative discussions, independent analysis, and rigorous reviews, sets AuditOne apart, ensuring the audits are thorough and of higher quality than competitors.

Why was it important to audit those smart contracts?

Auditing the smart contracts of the Aurora Fast Bridge was an essential step in ensuring the security, functionality, and reliability of this critical infrastructure in the blockchain ecosystem. The audit has identified 17 issues that have been all resolved (fixed) and verified by AuditOne’s auditors.

‍

The discovery of four critical issues underscores the importance of this audit, as each of them could have a potentially severe impact on the Aurora platform.

‍

Block Reorganization and Double Spending (High Severity):

• Issue: Block reorganizations could invalidate confirmed transactions, leading to potential double-spending.
• Impact: If tokens are locked on one chain, and then that chain undergoes a block reorganization before tokens are unlocked, it could result in lost or double-spent tokens.

Race Condition and Double Spending (High Severity):

• Issue: A race condition could occur between the unlock time and proof verification, potentially leading to double spending.
• Impact: The sender could spend the same tokens again if tokens are released before transaction proof is fully verified.

Withdraw Function Exploit (High Severity):

• Issue: Users could repeatedly call the withdraw function before the callback function decreases their balance.
• Impact: This could allow attackers to withdraw more than their actual balance.

Malicious User Double Unlocking Funds (High Severity):

• Issue: A user could exploit the unlock function to double-unlock their funds.
• Impact: This could lead to unauthorized token withdrawals and loss of funds.

‍

These critical issues highlight the importance of conducting thorough audits of smart contracts, especially in systems that handle cross-chain transactions like the Fast Bridge. An audit ensures that vulnerabilities are identified and rectified before being exploited, thus protecting the system against potential security breaches. It also verifies the correct functionality of the contracts, ensuring that they operate as intended. This is crucial for maintaining user trust and encouraging adoption of the platform.

Risks prevented and improvement in security

By resolving the issues found, the audit prevented risks associated with double-spending, unauthorized withdrawals, transaction delays, and potential fund losses due to system inefficiencies or vulnerabilities. The improvements in validation, event processing, configuration management, and updates to outdated dependencies fortified the platform against potential security breaches and optimized its performance and reliability. Consequently, these actions bolstered user trust, safeguarded assets, and reinforced the overall stability and integrity of the Aurora Fast Bridge within the blockchain ecosystem.

Importance of AuditOne auditing process:

AuditOne's approach to auditing, particularly evident in the Aurora Fast Bridge audit, underscores the importance of utilizing a larger pool of auditors. The findings from this particular audit, as detailed in the table, clearly illustrate the value of having multiple auditors:

• Diversity in Issue Identification: Each auditor brought a unique perspective, leading to the identification of various issues. While Auditor 1 and Auditor 2 found fewer high-severity issues, Auditor 3 and Auditor 4 identified more, highlighting the importance of having more than the standard two auditors. This diversity ensures that a wider range of potential problems is scrutinized and addressed.
• Reduced Duplication and Enhanced Solutions: The model of employing multiple auditors leads to more duplicated issues and offers various fixing approaches. This is crucial for ensuring the most effective solutions are found and implemented.
• Peer Review's Role: The importance of peer review in AuditOne’s process cannot be overstated. It not only ensures that the best solutions are chosen for fixing the issues but also aids in educating both the auditors and the project developers. This collaborative review ensures that the final solutions are effective and the most suitable for the project's specific challenges.

Summary

AuditOne's audit process offers a comprehensive code analysis beyond security checks to ensure smooth operation and functionality alignment, resulting in robust and efficient code. The company's large pool of over 450 diverse auditors enables rapid team mobilization, reducing audit wait times compared to traditional firms. Using multiple experts ensures a thorough and efficient audit, covering a broader range of issues and delivering high-quality, peer-reviewed solutions.

‍