Wrapped Bitcoin (WBTC) Security Audit

ChainSecurity has completed a security audit of the Wrapped Bitcoin project. To find out more about the scope of the audit and considered properties see the full report.

Download Audit Report

ChainSecurity has completed a security audit of the Wrapped Bitcoin project. To find out more about the scope of the audit and considered properties see the full report.

Summary

WBTC is an ERC20 token that represents Bitcoin as an (extended) ERC20 token on the Ethereum blockchain, where 1 BTC equals 1 WBTC token. The involved entities are at least one custodian (the current setup is tailored to exactly one) and multiple merchants. The whole system has in general two main tasks:

  1. Minting WBTC:
    If a matching amount of BTC is locked at a custodian’s account (on the Bitcoin blockchain), the corresponding amount of WBTC tokens is minted (released) to the merchant (on the Ethereum blockchain).
  2. Burning WBTC:
    When a merchant wants to convert his WBTC tokens back into BTC, he places a burn request (the specified amount of WBTC tokens are burned). If successful, the custodian sends the merchant the requested amount of BTC (on the Bitcoin blockchain).

To accomplish a Bitcoin-to-WBTC swap and back, a merchant sends BTC to a custodian. The custodian confirms that this merchant has deposited a certain amount of BTC on the Bitcoin blockchain. A matching amount of WBTC is then minted by a custodian and can be used by the merchant. Accordingly, if a merchant wants to swap back the WBTC to BTC, the merchant files a request to burn the WBTC. The custodian transfers the BTC back to the merchant, if the burning of the WBTC was successful.

Overall, the smart contracts request and record the transaction details on the Ethereum blockchain. Actual transactions of BTC are happening on the Bitcoin blockchain. Other tasks include managing (adding/removing) merchants and custodians.

Our audit investigated the code implementation issues arising from the management of merchants and custodians, as well as from the minting, transferring, and burning of the WBTC token on the Ethereum blockchain.

Overall, the ChainSecurity team found that Wrapped Bitcoin is a very well-coded smart contract with clean documentation. During the audit, we detected two security issues concerning (1) the pausing of the minting/burning process (2) and a possible hash collision. The hash collision was possible due to using abi.encodePacked() instead of abi.encode(). Chainsecurity also highlighted relevant trust assumptions arising from the overall system setup. WBTC addressed, acknowledged or fixed the raised issues. Therefore, ChainSecurity sees no remaining security issues in the current version.

About Wrapped Bitcoin (WBTC)

WBTC (Wrapped Bitcoin) will launch as a fully backed Bitcoin ERC20 token on Ethereum in January 2019. The initiative will bridge Bitcoin liquidity and the decentralized ecosystem on Ethereum, enhancing all decentralized applications. WBTC will allow the Ethereum network to be leveraged to enable new applications and use cases for Bitcoin.
WBTC is a community focused initiative and is the culmination of a long-standing joint effort relationship between BitGo, Kyber Network, and Republic Protocol. Prominent decentralized exchanges and financial projects, including MakerDAO, Dharma, Airswap, IDEX, Compound, DDEX, Hydro Protocol, Set Protocol, Prycto, RadarRelay, Blockfolio and Gnosis have all committed to support the adoption of WBTC and will participate as launch members.

For more information please visit www.wbtc.network