We were tasked with performing an audit of the BlazeSwap codebase and in particular their specialized Uniswap-V2 based DEX implementation using an upgrade-able approach and integrating with the FTSO reward mechanism of the Flare Network.
Over the course of the audit, we identified certain flaws in relation to the way historical balances are tracked and utilized which may render them prone to flash-loan attacks as well as an issue with the exchange pair mechanism containing an incorrectly defined unchecked arithmetic code block.
We advise the BlazeSwap team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The BlazeSwap team iterated over all findings identified in the report and provided us with a response document as well new commit hash to evaluate the fixes on as well as re-visit some exhibits that the BlazeSwap team wished to nullify.
We advise the BlazeSwap team to revisit all acknowledged as well as not remediated exhibits in case they wish to reconsider their stance on them.
Multiple new code segments were introduced in the latest commit hash that were not part of the original audit and represent new functionality introduced by the BlazeSwap team. These segments should not be considered as part of the audit engagement.
During the audit, we filtered and validated a total of 15 findings utilizing static analysis tools as well as identified a total of 31 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
pie
title Total Issues
"Unknown" : 3
"Informational" : 20
"Minor" : 18
"Medium" : 5
"Major" : 0
The list below covers each segment of the audit in depth and links to the respective chapter of the report:
