DESCRIPTION
Side Protocol serves as the extension layer of Bitcoin. At its core is Side Chain, the first high-performance, fully Bitcoin-compatible dPoS Layer 1 blockchain, designed to shape the future of Bitcoin finance. Side Chain supports bridging for native BTC and other Bitcoin assets, including runes.
The core contracts covered in this audit include Shuttler, FROST and Side Chain of Side Protocol. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Side Protocol team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 8 potential issues in the smart contract. We also have 3 recommendations and 7 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | Improper sender address validation in function received_dkg_response() |
Software Security | Fixed |
| 2 | Low | Potential invalid vault address submission to side chain due to failure to generate round 2 packages | Software Security | Fixed |
| 3 | Low | Lack of task existence check in function received_sign_message() |
Software Security | Confirmed |
| 4 | High | Insufficient check on block headers | Software Security | Fixed |
| 5 | High | Potential nonce reuse during signature generation process of Round 1 | Software Security | Fixed |
| 6 | Low | Lack of duplication checks for participants during DKG initiation | Software Security | Fixed |
| 7 | High | DoS due to inconsistent vault versions | Software Security | Fixed |
| 8 | Low | Lack of error handling logic in function scan_vault_txs() |
Software Security | Fixed |
| 9 | - | Lack of error handling logic in function submit_signature() |
Recommendation | Confirmed |
| 10 | - | Fix potential panics | Recommendation | Fixed |
| 11 | - | Remove unused code | Recommendation | Fixed |
| 12 | - | Potential centralization risk | Note | - |
| 13 | - | Trusted participants in the DKG process | Note | - |
| 14 | - | Frozen protocol fees | Note | - |
| 15 | - | Rune verification reliance on external mechanisms | Note | - |
| 16 | - | Potential DoS due to expired fee rate | Note | - |
| 17 | - | Potential DoS due to excessive unrelated commitments in Round 1 message | Note | - |
| 18 | - | Private keys and passwords are stored in plaintext format | Note | - |
More details are provided in the audit report.