DESCRIPTION
The target of this audit is the code repository of bgw-swap-aggregator-evm of Bitget. BWAggregator is a DEX aggregator that enables swaps across Uniswap and its fork protocols through specialized router and handler actions. The platform supports ERC20-to-ERC20, ETH-to-ERC20, and ERC20-to-ETH swaps through a meta-transaction architecture. Users can specify complex action sequences for the aggregator to execute atomically on their behalf, typically involving multiple swaps across different protocols. The system employs a threephase execution method with fund tracking. Fee collection comprises two components: a fixed deduction amount and a proportional fee amount.
Please refer to the report for the detailed audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains 2 high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The bgw-swap-aggregator-evm team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 6 potential issues in the smart contract. We also have 4 recommendations and 8 notes, as follows:
| ID | Severity | Description | Status |
|---|---|---|---|
| 1 | High | Incorrect pool verification in V3Handlers’ swap callbacks | Fixed |
| 2 | High | Potential DoS risk in the function managePoolManager() |
Fixed |
| 3 | Medium | Lack of access control in the function h and leFeeWithSign() |
Confirmed |
| 4 | Low | Potential DoS due to precision loss on feeAmount |
Confirmed |
| 5 | Low | Ineffective gas optimization mechanism | Fixed |
| 6 | Low | Duplicate deduction logic in contract BWAggPancakeV3Handler |
Fixed |
| 7 | - | Add address check during wrapping Ether |
Fixed |
| 8 | - | Implement _pool address validation for Uniswap V2 pools |
Confirmed |
| 9 | - | Avoid unused return variable | Fixed |
| 10 | - | Add explicit failure notification in the function removeCallBack() |
Fixed |
| 11 | - | Ensure proper management of unspent ERC20 tokens | - |
| 12 | - | Fee logic is controllable via parameters | - |
| 13 | - | Potential risks for future integration | - |
| 14 | - | Potential centralization risks | - |
| 15 | - | Ensure the correctness of inputs in the backend | - |
| 16 | - | Weird ERC20 Tokens | - |
| 17 | - | Gas optimization retains 1 wei of tokens | - |
| 18 | - | Router asset balance assumptions | - |
More details are provided in the audit report.