Datachain - App for Liquidity

Summary

The TOKI protocol is a blockchain system designed to facilitate cross-chain interactions, liquidity management, and decentralized finance (DeFi) operations. It enables the transfer of native assets between different blockchain networks via a bridging solution built upon the Inter-Blockchain Communication (IBC) protocol. The system incorporates liquidity pools, price oracles, and fee calculation mechanisms to support its DeFi activities. TOKI utilizes established libraries like OpenZeppelin for access control, upgrade patterns, and token standards, emphasizing security, upgradeability, and modularity in its design. This audit focuses on the core smart contracts of the TOKI protocol. The TOKI protocol presents a complex architecture with inherent dependencies on external components, necessitating careful consideration of operational and security best practices. The audit identified a total of 20 findings, with a breakdown of 2 high severity, 5 medium severity, 5 low severity, 1 undetermined severity, and 7 informational findings. Several areas of concern were identified during the audit. These include potential issues with the accuracy of fee calculations, particularly concerning the drift protocol fee and the handling of external payloads with unpredictable gas costs. The audit also highlighted issues related to the the precision of balance checks, and the potential for price oracle inconsistencies. Additionally, the current implementation of the retry mechanism and its interaction with packet ordering requires further scrutiny. The TOKI team should prioritize a thorough review and remediation of the high and medium severity findings. It is recommended that the team focus on improving the accuracy and robustness of fee calculations, especially under conditions of price drift and when handling cross-chain transactions with external payloads. Further, the team should focus on enhancing the handling of edge cases in cross-chain operations, particularly concerning the retry mechanism, packet ordering, and error handling on the destination chain. The team should also consider strengthening input validation across the protocol, particularly for user-supplied data and addresses. Improving the handling of edge cases in cross-chain operations, especially concerning the retry mechanism and error handling on the destination chain, is also recommended. Furthermore, the audit highlighted the need for more comprehensive test coverage. The TOKI team should expand their test suite to include a wider range of scenarios, particularly focusing on edge cases, error conditions, and potential attack vectors identified in the report. This includes testing for validating fee calculations under various conditions, and simulating different failure scenarios in cross-chain transactions. Enhancing the test suite will improve the overall robustness and security of the protocol. **Update**: The TOKI team has made significant progress, addressing many of the issues from the initial audit and demonstrating a strong commitment to improving the protocol. While many findings have been resolved, a few were acknowledged, and one was mitigated (DAT-3), indicating opportunities for further enhancement. The team has also made great improvements in testing, but continued efforts to further increase branch coverage, input validation, and refinements to mitigated/acknowledged issues will further strengthen the protocol’s reliability and security.