Back to Overview

Superchain Interoperability

download report

Summary

The most critical subjects covered in our audit are multi-chain state consistency, Hyperlane integration, and frontrun resistance.

The functional correctness of enforcing the voting period was found to be incorrect. Users could still update their votes after the voting period had ended incurring the risk of losing their rewards: Voting period in epochs can be bypassed by using poke()

The usage of the Hyperlane bridging mechanism was found to be incorrect, due to insufficient gas quote amount. No message could therefore be dispatched. For details please refer to this issue: RootMessageBridge.sendMessage() reverts if InterchainGasPaymaster is used .

Further, front running was found to be an issue during the deployment of the XERC20 contracts: deployXERC20WithLockbox() in XERC20Factory can be frontrun.

In the second version of the codebase, the mechanism enforcing the ordering of specific types of messages (DEPOSIT and WITHDRAW) was relaxed. This could lead the state of some contracts to be temporarily inconsistent which would lead to accounting issues (Voting power can be temporarily artificially inflated). The issue has been addressed, but it should be noted that the system relies heavily on the assumption that messages from the root to the leaf will be processed within 1 hour.

In summary, we find that the codebase provides a high level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.

About Velodrome Superchain Interoperability

Velodrome implements an expansion of Velodrome AMM system to Superchain. With this expansion, theVELO rewards and incentives become available on chains beyond Optimism with the help of Hyperlane.

"Velodrome Finance is a next-generation AMM that combines the best of Curve, Convex and Uniswap, designed to serve as the liquidity hub for the Superchain."

#Source

With a tight schedule and an important release on the line, ChainSecurity exceeded our expectations, assembling multiple internal teams and delivering a thorough, accurate report that kept us on budget and on time. We couldn’t be happier or more confident working with their team..
Velodrome Contributors

external-link