31Third

Summary

Quantstamp audited 31Third's batch trading smart contracts. 31Third is a platform that lets users swap several digital assets in a single transaction. Trades are made in major decentralized exchanges through 0x protocol, allowing 31Third to inherit some of the functionalities and protections provided by 0x. All issues and design recommendations are discussed in the *Findings* section of this document. After that, recommendations about documentation and best practices are discussed. We strongly recommend addressing all the issues before deployment. High-security issues were found. QS-1 recommends a redesign of the protocol regarding sanitization and verification of the call data passed by the user to the protocol. Arbitrary call data sent to external protocols is always risky, increasing the attack surface. Some possible exploits are discussed in this report. External exchanges are subject to changes and upgrades, so new vulnerabilities could appear in the future. The documentation quality is medium. No public documentation was provided or was available on the 31Third webpage. It is recommended to add detailed public documentation focusing on critical parts of the protocol, such as protocol fees, privileged accounts, external protocols used, and a list of the smart contract addresses. Regarding testing, all tests passed, and the project implements code coverage metrics. The tests only cover `76.14%` of the main contract `BatchTrade`. Some of the issues found can indicate that some corner cases were not covered. We recommend improving the branch coverage to at least `95%`. <br><br> **Fix review:** The 31Third team provided a new commit containing fixes for the issues found. All the issues were addressed. The 31Third team decided to implement an external system that will validate the trade data and sign it if it is correct. This system is out of the scope of this audit. The `BatchTrade` contract will only accept trades previously signed by this trusted external system. With this approach, the validation issues discussed in QS-1 and QS-2 are mitigated. While valid, this approach adds centralization and a potential single point of failure, as the users will not be able to trade if the trusted signer system is not available. This external system should be audited by security experts and 31Third should follow the latest security and key management guidelines to ensure the availability and integrity of this system. The test suite was improved and the project shows good code coverage metrics: `96.79%` branch coverage. The 31Third team has developed a [public documentation website](https://docs.31third.com/) containing details about the smart contracts involved, system architecture, and 31Third custom API.