Chromia FT4 (token library)
Summary
FT4 is a library designed for the Chromia Ecosystem. The audit encompassed the Rell backend, where blockchain operations are performed, and the typescript client library for calling the Rell backend. The library implements account management, authorization, and asset management. Accounts can be created under various payment models. Accounts have their permissions designated to auth descriptors. Each auth descriptor may have one or more authorized signers. Operations can be restricted to certain types of auth descriptors. The library also defines the Token standard for Chromia, as well as an implementation for facilitating cross-chain transfers (in Chromia, each dapp has its own chain that is anchored to the root chain). A few issues were uncovered during the audit. Its possible for the main auth descriptor to be missing required flags (CHRM-1). It is also possible that a multi-sig is configured to require no signers (CHRM-2). Other minor issues were uncovered, though it is difficult to assess the full impact given that the library's usage will vary for each dapp. With regards to the client side, no major issues were uncovered. The codebase could benefit from inline documentation, though overall we found the project documentation to be thorough and the Chromia team to be very helpful over the course of the audit. The test suite was extensive as well. **Fix-Review Update:** The Chromia team has fixed or adequately acknowledged all of the findings in the report.
