Back to Overview

Mangrove Order Security Audit

Summary

Mangrove implements a peripheral contract for the Mangrove core system which allows users to submit Good-till-cancelled orders and Fill-or-kill orders.

The most critical subjects covered in our audit are functional correctness, absence of reentrancy possibilities, access control, handling of funds, and accounting. We have uncovered some important bugs. Regarding functional correctness, we uncovered a bug where the gas price for an updated order is calculated and submitted incorrectly. Regarding accounting, we have uncovered a vulnerability affecting the order updates which can allow an attacker to steal funds from Mangrove core system. However, the impact of the vulnerability is not big since it is not expected that an attacker can steal a significant amount. Moreover, as far as internal accounting is concerned, if an updated order requires less provision than before, the provision is not refunded to the end users. All the aforementioned issues were addressed in the second iteration.

The general subjects covered are code complexity, use of uncommon language features, unit testing, documentation, specification, gas efficiency, trustworthiness and error handling. Security regarding all the aforementioned subjects is high.

In summary, we find that the codebase provides a high level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.

About Mangrove Order

“The Mangrove is an order book-based DEX that allows liquidity providers to post arbitrary smart contracts as offers. This new flexibility enables liquidity providers to post offers that are not fully provisioned. The Mangrove’s order book lists promises instead of locked commitments. Liquidity can be shared, borrowed, lent and, at the same time, be displayed in the Mangrove’s order book, ready to be sourced when, and only when, an offer is hit. The time of DeFi ‘s fragmentation in a myriad of pools is ending. In the Mangrove, liquidity reaches its ultimate potential. Value doesn’t have to be locked anymore.”

#Source

ChainSecurity has proved its ability to independently understand, thoroughly analyze, and help secure novel and complex smart contracts in a surprisingly short amount of time. We could not ask for a better auditing partner.
Adrien Husson, smart contract lead @ Mangrove