DESCRIPTION
The target of this audit is the code repository of swap-router-v1 of Rabby Wallet. The protocol is a decentralized exchange (DEX) router that facilitates efficient token swaps by integrating multiple aggregators through a flexible adapter pattern, while ensuring robust fee management. Its core component, the DEX Aggregator, is a smart contract system that optimizes trades by splitting orders across various DEXs to secure better prices and minimize slippage for users.
Please refer to the report for the detailed audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we did not find any critical issues within the audited codebase. However, we have identified some non-critical issues that should be addressed. Additionally, we have put forth recommendations to further strengthen the code logic, along with notes that should be taken into consideration. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 5 potential issues in the smart contract. We also have 8 recommendations and 5 notes, as follows:
| ID | Severity | Description | Status |
|---|---|---|---|
| 1 | Medium | Improper pause() mechanism causes the contract to be permanently paused |
Confirmed |
| 2 | Medium | Fee mechanism can be circumvented | Confirmed |
| 3 | Medium | Pause and unpause conflict between different admins | Fixed |
| 4 | Low | Fee deduction after slippage check may reduce actual user received amount | Fixed |
| 5 | Low | Lack of refund mechanism in the contract Executor |
Fixed |
| 6 | - | Inconsistent check | Confirmed |
| 7 | - | Non zero address checks | Confirmed |
| 8 | - | Ensure proper checks on parameter _admins |
Confirmed |
| 9 | - | Check the existence of the adapter before adding it | Fixed |
| 10 | - | Spelling and comment errors | Fixed |
| 11 | - | Redundant code | Fixed |
| 12 | - | Add allowance revocation logic after swap operation | Fixed |
| 13 | - | Replace the function transfer() with the function call() |
Fixed |
| 14 | - | Security consideration for delegatecallbased executor architecture | - |
| 15 | - | Security audit assumptions on trusted executors | - |
| 16 | - | Potential centralization risks | - |
| 17 | - | Weird ERC20 tokens | - |
| 18 | - | External pool/router without refund mechanism may cause unnecessary slippage | - |
More details are provided in the audit report.