Hashport Round Security Audit

We were tasked with performing a round two audit on the cross-chain bridge implementation of LimeChain and in particular their new NFT bridge implementation containing an NFT wrapper implementation, a new token based fee system for the NFT transfers and an update across the codebase to properly track the NFT token payments for the governance committee.

Over the course of the audit, we did not identify any severe vulnerabilities and the codebase has now been developed with proper standards and complying to the latest security guidelines. We observed that recommendations from our previous round are now actively applied during the development phase thus greatly increasing the quality of the codebase.

We were able to pinpoint a single Diamond-standard related issue that we believe to be desired behaviour but we urge the LimeChain team to explicitly define within the code that it's desired. Additionally, a concern that can arise due to the access control around burning the wrapped NFT implementations has also been raised within the audit and needs to be addressed by the LimeChain team.

Overall, the codebase of Hashport is once again of very high quality and the documentation of the project is exemplary.

During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 6 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style