May 17, 2023
—
May 31, 2023
DeFi
Uniswap V3
Chainlink
Driven by a $1.6m grant from the Uniswap Foundation, GFX Labs built Oku to directly bring the most advanced trading experience to Uniswap v3 markets across most EVM-compatible chains. GFX Labs leveraged Cyfrin's security experts and in-depth Oracles experience to strengthen the safety and scalability of their protocol.
Summary
TVL
nSLOC
Bugs found
—
Getty Hill, Oku Trade Founder
Overview
Driven by a $1.6m grant from the Uniswap Foundation, the GFX Labs team built Oku to directly bring the most advanced trading experience to Uniswap v3 markets across Ethereum, Polygon, Arbitrum, and Optimism.
Through a UI familiar to centralized exchanges, Oku leverages the properties of single-sided Uniswap v3 liquidity positions with hyper-reliable Chainlink Automation infrastructure to offer on-chain limit orders. These orders then allow users to apply specific conditions to trading pools for enhanced control over their trading strategies.
Cyfrin recently conducted a comprehensive security review of Oku Trade by GFX Labs over three weeks. Despite Oku being previously audited in a comprehensive security review by another top-notch blockchain security company, our team at Cyfrin was able to raise many additional findings.
Lead auditors Giovanni Di Siena and Hans and assisting auditor Alex Roan prepared the final audit report, uncovering a total of 21 issues, including six medium-risk and five low-risk.
Here you can read the full Oku Trade security report.
Findings
Medium Severity
Low Severity
Other
High-level Protocol Breakdown
The Cyfrin team reviewed all protocol features and entry points, including storage mappings data structures, user functions, and external protocol dependencies.
Variable instances of the type OrderStatus enum were particularly interesting since they were heavily used to trigger change based on the current Uniswap v3 pool tick. One particular scenario identified involved circumventing the OrderStatusvalidation to modify orders in a state in which this should not be possible.
Our most relevant findings were concerned with the implementation of the order book as a doubly linked list of BatchOrders with lower/upper ticks for a given target tick price, separated by one tick space.
However, limit orders go in both directions, so additional validation is also required on the direction of orders. Getting this validation wrong can result in registering the deposit of one asset as the other, which could allow an attacker to own an outsized proportion of the deposits for a given position.
This particular issue was fixed in an earlier commit, but we found that this order book implementation still gave rise to issues when creating and canceling orders under certain conditions.
Why is Cyfrin the best choice for this audit
With two of Cyfrin’s co-founders coming from the Chainlink ecosystem, Cyfrin was perfectly positioned for a thorough review of the Oku protocol - which leverages Chainlink automation functions to perform trades.
Our auditors’ deep knowledge of Chainlink meant we could jump quickly into the codebase, be better aware of its potential and limitations, ask more thoughtful questions, and look at edge cases we would’ve not likely thought out otherwise.
The team performed architecture analysis and diagrams, invariant tests, pattern mapping, entry point stress testing, stateful fuzzing, and a manual review process.
Our Auditing Process
At Cyfrin, our audit process is both meticulous and customer-centric. It begins with individual manual reviews of the codebase by each team member. We then examine previous audit reports to identify potential weak areas. This is complemented by an initial ramp-up period for auditors to familiarize themselves with the codebase, followed by continuous internal calls with the client's team throughout the audit timeframe.
We use static analysis tools like Cyfrin Aderyn and Slither to identify minimal findings, and Cyfrin Solodit, our vulnerabilities aggregator, for in-depth research into similar bugs in the field. Techniques like invariant testing and stateful fuzzing also come into play to support the primary manual audit process.
Communication is key in our process; we establish separate internal communication channels at the start of each audit and maintain a separate per-audit GitHub project board for more formal tracking of ideas and findings. Our commitment to our customers and open, ongoing communication is at the core of what we do at Cyfrin.
“At Cyfrin, we aim to be more than the sum of our parts; so each auditor individually follows their process to begin with, and then we come together within the team to exponentiate our findings and creative thought processes. We diverge and converge.” ~ Giovanni Di Siena, Lead Auditor
Security Researchers
Lead Researchers
Days
Conclusion
Incubating security at every part of the developer’s journey, Cyfrin performed an in-depth review of the Oku protocol, leveraging its Chainlink expertise. Through reviewing Oku, our auditor team also became proficient in the underlying Uniswap v3 contracts the protocol leverages and gained deeper expertise in batch operations and trades. In this process, we learned about the importance of invariant tests and competitive audits to follow in ensuring the protocol’s full safety.