Omniscia AllianceBlock Audit
Messaging Protocol Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 3de8ced5e0 | January 11th 2024 | 79bab699d5 |
| 54fd570de2 | February 27th 2024 | e92092c924 |
| d7618eed4e | March 13th 2024 | cad70eaa31 |
| 98768eaf85 | March 18th 2024 | ca0b681da7 |
| 4f9f9a61e6 | April 24th 2024 | 6a882fd261 |
| e6f704512a | May 1st 2024 | be73ca631d |
Audit Overview
We were tasked with performing an audit of the AllianceBlock codebase and in particular their Messaging Protocol module.
Over the course of the audit, we identified a significant flaw in the way governance members are removed as well as a medium-severity flaw in the CCIP forwarder that could lead to loss of funds.
We advise the AllianceBlock team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The AllianceBlock team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by AllianceBlock and have identified that certain exhibits have not been adequately dealt with. We advise the AllianceBlock team to revisit the following exhibits: M2L-01M, GFT-03M
Additionally, the following informational findings remain unaddressed and should be revisited: GEL-01C
Post-Audit Conclusion (d7618eed4e)
The AllianceBlock team evaluated the aforementioned exhibits and provided follow-up alleviations for each one.
We validated that the remediations have been carried out properly and that all exhibits have been fully dealt with correctly.
Notably, we ensured that the ExcessivelySafeCall implementation ported to the codebase from the original nomad-xyz repository introduced no changes and is secure.
All outputs of the audit report have been properly consumed by the AllianceBlock team and no outstanding exhibits remain within the audit report.
Post-Audit Conclusion (98768eaf85)
The AllianceBlock team revisited the audit report and opted to apply remediations for exhibit UFT-01M.
Specifically, the LibDiamond was updated to properly track registered facets of the EIP-2535 Diamond and these entries are now utilized during the initialization process to ensure that the logic contract interacted with has been properly registered.
As such, we consider the aforementioned exhibit fully alleviated rendering all exhibits within the audit fully alleviated.
Post-Audit Conclusion (4f9f9a61e6)
The AllianceBlock team introduced a new contract to the previous commit labelled MultiWithDefaultProviderSelector and requested a security review of it to be included within this audit report.
During our review, we observed an assignment that was improperly performed as a comparison as well as several optimizations and best practice recommendations within the contract.
The exhibits that detail those items are as follows: MWD-01S, MWD-01M, MWD-01C, MWD-02C
Post-Audit Conclusion (e6f704512a)
The AllianceBlock team evaluated the aforementioned exhibits and proceeded to alleviate each one per our recommendations.
We consider all exhibits properly alleviated in the latest commit hash supplied to us by the AllianceBlock team thus concluding this follow-up audit engagement.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 4 | 4 | 0 | 0 |
 | 31 | 31 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
 | 5 | 5 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 41 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: