Omniscia LimeChain Audit

Hashport Round Security Audit

We were tasked with performing a round two audit on the cross-chain bridge implementation of LimeChain and in particular their new NFT bridge implementation containing an NFT wrapper implementation, a new token based fee system for the NFT transfers and an update across the codebase to properly track the NFT token payments for the governance committee.

Over the course of the audit, we did not identify any severe vulnerabilities and the codebase has now been developed with proper standards and complying to the latest security guidelines. We observed that recommendations from our previous round are now actively applied during the development phase thus greatly increasing the quality of the codebase.

We were able to pinpoint a single Diamond-standard related issue that we believe to be desired behaviour but we urge the LimeChain team to explicitly define within the code that it's desired. Additionally, a concern that can arise due to the access control around burning the wrapped NFT implementations has also been raised within the audit and needs to be addressed by the LimeChain team.

Overall, the codebase of Hashport is once again of very high quality and the documentation of the project is exemplary.

Files in ScopeRepositoryCommit(s)
DiamondCutFacet.sol (DCF)hashport-contracts22c56946f7,
72ee60e280
DiamondLoupeFacet.sol (DLF)hashport-contracts22c56946f7,
72ee60e280
ERC721PortalFacet.sol (ERC)hashport-contracts22c56946f7,
72ee60e280
FeeCalculatorFacet.sol (FCF)hashport-contracts22c56946f7,
72ee60e280
GovernanceFacet.sol (GFT)hashport-contracts22c56946f7,
72ee60e280
GovernanceV2Facet.sol (GVF)hashport-contracts22c56946f7,
72ee60e280
LibERC721.sol (LER)hashport-contracts22c56946f7,
72ee60e280
LibRouter.sol (LRR)hashport-contracts22c56946f7,
72ee60e280
LibDiamond.sol (LDD)hashport-contracts22c56946f7,
72ee60e280
LibPayment.sol (LPT)hashport-contracts22c56946f7,
72ee60e280
LibGovernance.sol (LGE)hashport-contracts22c56946f7,
72ee60e280
LibFeeCalculator.sol (LFC)hashport-contracts22c56946f7,
72ee60e280
OwnershipFacet.sol (OFT)hashport-contracts22c56946f7,
72ee60e280
PaymentFacet.sol (PFT)hashport-contracts22c56946f7,
72ee60e280
PausableFacet.sol (PFE)hashport-contracts22c56946f7,
72ee60e280
Router.sol (ROU)hashport-contracts22c56946f7,
72ee60e280
RouterFacet.sol (RFT)hashport-contracts22c56946f7,
72ee60e280
WrappedToken.sol (WTN)hashport-contracts22c56946f7,
72ee60e280
WrappedERC721.sol (WER)hashport-contracts22c56946f7,
72ee60e280

During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 6 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report: