Smart contract security audit for Allbridge Classic

We started the audit by analysing, threat modelling, and assessing the risks associated with smart contracts and off-chain entities:

• As the Tezos Project allows users to exchange tokens, we've used security standards from traditional finance as yardstick orientation (PCI DSS, SOX, etc.), NIST RMF as a risk management framework, and OWASP SAMM as best practices for software maturity processes.
• Our team identified significant risks and threat vectors based on the risk assessment results, which allowed to detect the most use cases and operations before starting an actual implementation review.
• To assess the impact of the security controls, we classified them as "broken", "missing", or "improvements" and set priorities as high, medium, or low. Clear classification allowed the development team to prioritise security-related work and understand the consequences of the found issues.

Keeping the bridge context in mind, we reviewed its design and use cases:

• Our team reviewed general architecture, components, contracts, their purposes, workflows, etc. and enriched the project's documentation with corresponding diagrams and charts.
• Due to the centralised nature of the Tezos Project, special attention was paid to the risks of abusing and misusing the bridge lifecycle by the product team and admins. We provided guidelines on how to strengthen operations and prevent accidental errors by additional checks. The expanded suggestions included deployment pipelines, contract migration strategies, functionality available for administrators, managing admin's keys, etc.
• We proposed two-step migrations to protect specific workflows of changing sensitive fields, like administrators or keys, to reduce the chance of system errors.
• To determine whether the token exchange is synchronised between different blockchains, our engineers examined the Ethereum part of the cross-chain bridge and ensured its compatibility and consistency with the Tezos part.

We conducted a security audit of smart contracts core and transactions:

• The transaction review started from a design level: the flow, sources and destinations, parameters, trust, and possible gas issues. Visualising workflows helped to spot missing steps and risky connections.
• After creating a data model for each contract and its storage, analysing data types, appropriate fields, and unused items, we recommended removing some items and changing types in others to save gas.
• The Tezos Project doesn’t store private data but still operates with sensitive information: signatures, administrator addresses, user balances, etc. We identified sensitive assets and ensured that they were handled and controlled appropriately.
• Our team reviewed each function, entrypoint, and view for unreachable code, (in)correct calculations, precision handling, type conversions, etc. All sensitive flows were covered with tests and complied with FA2 and TZIP-016 standards.
• We tested for smart contract-specific threats and attack vectors: gas exhaustion, reentrancy, front-running attacks, signature replay, malicious miners, etc.
• Along with security, security engineers considered efficiency and maintainability during the analysis and identified places for optimising gas consumption.
• To ensure that our testing is throughout, we used industry-specific checklists as guidance: Smart Contract Security Verification Standard (SCSVS) by SecuRing, Tezos security assessment checklist and Tezos security baseline checking framework by Inference.

Besides all the above, we provided recommendations for security improvements aligned with the “defence in depth” approach:

• Guidelines for improving dependency and vulnerability management processes, as the Tezos Project uses some third-party code for testing, origination, and maintaining contracts.,
• In light of the rapid growth of the LIGO ecosystem, our team recommended monitoring new compiler versions and setting up a process of updating code, as new versions bring performance, memory optimisations, and security fixes.