Native v2 (Security Review)
Summary
**Final Report (2025-01-06):** Quantstamp has reviewed additional responses by Native team, including an updated commit hash `9430af6`. The team has Fixed another issue NATv2-1, which was previously Acknowledged to have a fix incoming. As of now, the great majority of the issues identified in the Initial Report are Fixed, Mitigated, or Acknowledged with fixes/mitigations actively planned. <br /><br /> **Updated Report 2 (2025-01-03):** Quantstamp has reviewed additional responses by Native team, including an updated commit hash `5a3b5b2`. The team has Fixed and Mitigated several issues on top of what was done in the Updated Report, including a few Auditor Suggestions. As of now, the great majority of the issues identified in the Initial Report are Fixed, Mitigated, or Acknowledged with fixes/mitigations actively planned. <br /><br /> **Updated Report 1 (2025-01-01):** Quantstamp has reviewed the responses by Native team, including an updated commit hash `8e053f14`. The team Fixed or Mitigated 5 issues, and Acknowledged most other issues with concrete plans to improve the protocol's overall security (with 1 High severity issue removed as it was identified to be False Positive). The Acknowledged issues mostly deal with off-chain signing component and management of privileged addresses, both of which would require a separate audit. To this end, Native team plans to take the following actions to strengthen the overall security of the protocol: (1) consult a security expert regarding the off-chain component, (2) conduct additional rounds of audit that includes the off-chain component, (3) ensure that no single point of failure exists between the off-chain validation and on-chain settlement procedures, and (4) consider adding a hard limit for token transfer out of the protocol to limit the damage in case of potential exploits. <br /><br /> **Initial Report (2024-12-20):** Quantstamp conducted a 3-day security review of the Native v2 smart contracts. This was not a full audit of the protocol but a time-boxed effort to perform quick security checks and review the most critical paths. Our approach focused initially on the high-level architecture, then delved into critical paths after understanding the most important flows. We primarily concentrated on the critical functions of the following contracts: `CreditVault.sol`, `LPToken.sol`, `NativeRFQPool.sol`, and `NativeRouter.sol`. The team has simplified the architecture, added new features, and re-wrote part of the existing features from Native v1. It should be noted that there are centralized off-chain components that play critical roles. For the purpose of this security review, we have assumed that the off-chain components will perform correctly in formatting the data, but we have not assumed data integrity or validity. Despite the nature of the time-boxed security review, the auditors identified 19 issues, with 4 High severity and 6 Medium severity issues that can potentially impact protocol funds, user funds, general usability, and code correctness. In addition, two issues identified in the previous Quantstamp security review are still present, and are included in this report (NATv2-7 is escalated to Medium severity and NATv2-18 still as Low severity). It is likely that with additional time and auditor effort, more High or Medium severity issues may be identified. Nevertheless, the repository provided still appears to be in development, and the overall security will be improved, with ample opportunities to address each of the issues identified. Quantstamp strongly recommends addressing the issues identified in this report and arranging for a full audit before deploying these smart contracts in production.
Issues (18)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 8 | 3 | 1 | - | 12 |
Fixed | 1 | 3 | 2 | - | 6 |
| Total | 9 | 6 | 3 | 0 | 18 |