Summary
Even though the codebase is complex, we did not find any severe issues. The code quality is good and Mangrove provides a good documentation for their project.
The general subjects covered are functional correctness, security and documentation. Security regarding all the aforementioned subjects is high.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Mangrove core
Mangrove Association (ADDMA) implements an order book-based exchange where makers can post offers that are essentially promises to trade a certain token pair for a specified amount.
Takers can take these offers. When a taker takes an offer, the maker’s smart contract is called and needs to fulfill the promise to exchange the tokens. If the maker does not meet their obligation, a pre-defined gas reimbursement will be given to the taker. Makers need to deposit the funds to reimburse takers when creating the offer.
The project allows participants full control over their funds up until they can really be exchanged. Hence, avoiding idle or stale funds waiting for order execution. This version implements a new internal data structure, using a tree of bitmaps in order to efficiently find the next-best offer in the order book.
—
“The Mangrove is an order book-based DEX that allows liquidity providers to post arbitrary smart contracts as offers. This new flexibility enables liquidity providers to post offers that are not fully provisioned. The Mangrove’s order book lists promises instead of locked commitments. Liquidity can be shared, borrowed, lent and, at the same time, be displayed in the Mangrove’s order book, ready to be sourced when, and only when, an offer is hit. The time of DeFi ‘s fragmentation in a myriad of pools is ending. In the Mangrove, liquidity reaches its ultimate potential. Value doesn’t have to be locked anymore.”
ChainSecurity has proved its ability to independently understand, thoroughly analyze, and help secure novel and complex smart contracts in a surprisingly short amount of time. We could not ask for a better auditing partner.
Adrien Husson, smart contract lead @ Mangrove