The main objective was verification of the security of smart contracts and identification of threats occurring at the edge of integration with web2 components.

Basic information

Project type: Cross-chain gas acquisition

Service: Smart contract security review.

Results: We helped identify 5 issues, and detected a backend problem with draining RPC credits.

About the Gasbot V2

The Gasbot V2 project solves the problem of obtaining the native currency on blockchains to pay for the transactions. Its main functionality is to buy native currency of the destination chain with the selected stable coin on the source chain. Both transactions are executed by Gasbot relayer.

In version 2, the Gasbot project adds functionality to pay using not only the stablecoin, but also the native currency of the source chain.

0xDjango, experienced security researcher, #40 Immunefi, and founder of Gasbot, was looking for a way to do multiple audits on the new Gasbot V2 implementation. He wanted to make sure that they didn’t miss anything during the internal security review.

Gasbot V2 website

Visit website: https://www.gasbot.xyz/

About the service scope

The subjects of the test were selected contracts from the Gasbot.xyz repository.

GitHub repository: https://github.com/GasBot-xyz/gasbot_audit/

CommitID: efb5e1d3735f24c7fadb17d59247a262e2647c7b

Files in scope

Identified threats

As before every smart contract audit, thorough threat modeling is performed. The results are made available to the client for joint analysis.

Key assets that require protection:

  • Users funds
  • Funds intended for the maintenance of liquidity
  • RPC Credits
  • Availability of the service

A few examples of threat scenarios that allow for risking or compromising the security of identified key assets:

  • Indefinite transfer retries by the Gasbot.
  • Not possible user token withdrawal in cases where native currency is not received on the destination chain.
  • Unrestricted selection of unrecognized destination chains.
  • Lack of defined and enforced rules for adding new homeTokens to the system.
  • It should not be possible to influence the parameters sent in TX by relayer.

More can be found in the report.

Smart contract audit results

3 identified threats turned out to be present in the project. The smart contract audit performed allowed for the detection of vulnerabilities related to excessively powerful roles, loss of Gasbot liquidity via chain reorgs, and unprotected receive function.

Audit results

Thanks to the work of the Research Portfolio team, 18 issues were removed. Additionally, a critical vulnerability that was found outside the scope of the service has been removed.

Client rating

Client rating

Want to increase the security of your project?

Let's engage in a conversation. Share details about your current security strategies and measures. This will enable us to provide professional advice on potential enhancements and additional actions that could be beneficial for your security framework.

Composable Security 🛡️⛓️ is a small team with a holistic approach that goes beyond the code. A combination of expertize in Solidity smart contract security and experience gained through 6+ years securing global fintechs and Polish banks help comprehensively take care of DApp security. Learn more about us. Creators of the Smart Contract Security Verification Standard and the first Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts.

Paweł Kuryłowicz

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

About the author

Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.

View all posts (15)