Subsquid Smart Contract Audit by ChainSecurity

Subsquid Smart Contracts

Security Audit

Download Audit Report
Summary

The most critical subjects covered in our audit are the safety of the funds, the reward accumulation and distribution mechanism, the calculation of the computation units, and the vesting mechanism. The security of the funds is high as we were not able to uncover ways to steal user’s funds. Reward distribution could be unfair in case a staker front-runs reward distribution (see Recent stakers get unfair yield). It could also be blocked if the number of workers grows a lot (see Reward distribution can run out of gas). The CU calculation could be improved as there are cases where CUs are double-counted (see Computation units are not split between an operator’s gateways). The vesting could break in case the user claims their rewards through the vesting contract. All the issues have been addressed.

The general subjects covered include but are not limited to access control, rounding errors, the rollup (ArbitrumOne) where the contracts are to be deployed, documentation, and specification. The security regarding access control and rounding errors is high. Even though there exists a lot of documentation for the protocol itself, the interface of the on-chain part to the rest of the system is underspecified. Therefore, we had to make assumptions about how the system will be implemented e.g., what events are going to be observed. Hence, there could be more issues in this area that were not anticipated by the auditing team. Testing could also be improved as we uncovered a few issues that could be easily detected this way.

In summary, we find that the security of the codebase is satisfactory but there is room for improvement.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.

About Subsquid Smart Contracts

Subsquid implements the on-chain part of the Subsquid protocol. The various parties of the system can stake their $SQD tokens in exchange for rewards for workers and stakers or computation units (CUs) for gateway operators.

“A peer-to-peer network to batch query and aggregate terabytes of on-chain and off-chain data in a ridiculously efficient way”

Source: https://subsquid.io/