CertiK Audits Terra’s New CosmWasm Smart Contract Solution

CertiK | Sept 11, 2020

Article's Poster

CertiK is proud to announce another successful audit of Terra’s CosmWasm smart contract solution. The initial audit was completed in 2019, with a detailed report posted here.

Scope of Audit

Terra, one of the largest blockchain payment networks, is supported by a family of stablecoins which are pegged to the world's major currencies. The main goal of the CosmWasm solution is to provide functionality that allows smart contracts to interact with other smart contracts, and be deployed on different blockchain platforms. The solution is a WebAssembly smart contract system, and is based on the Cosmos SDK and Tendermint BFT consensus protocol.

Procedural Process

The CertiK team launched the audit by analyzing the specifications of the project and the key areas of interest, which includes reviewing the unit testing of the code and launching fuzzing against targets in the codebase.

After, the team passed the code through automated tooling and gathered all the output to manually review each one of the issues that were returned from the tooling. The main process of the audit was the manual review of the key areas of interest and was divided into 3 parts: the language-specific, SDK, and wasm examination of the codebase, and target in scope.

The team of expert engineers reviewed the codebase written in golang and rust for language-specific problems and proper use of the language itself. In parallel, they also examined the usage and proper implementation of the Cosmos SDK. Additionally, the wasm implementation and targets generated by the codebase in local testnet and latest testnet were also reviewed.

Learnings and Findings

For the moment contracts can be only written in ​Rust,​ but the Terra team has stated that more programming languages are currently being looked into for future integration.

CosmWasm takes advantage of the Actor model to communicate through messages, which has the advantage of a fully encapsulating state and removes classes of bugs such as the infamous solidity ​re-entrancy attack.​

Recommendations and Outcome

The recommendations expressed by the audit were mostly regarding the usage of pointers within the codebase. CertiK’s team of engineers found no major or critical issues related to the codebase, a few of which were minor and informational.

Overall, the audit has found that the Terra team has done a good job implementing the specifications of the project into code. The usage of language is of a very high standard with good code coverage on unit testing. The SDK specifics are also well-implemented concerning the requirements of the framework and the same applies to the Cosmos wasm implementation.

Finally, the audit did all the necessary recommendations to the Terra team, and issues were discussed and addressed.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

Consult with one of our experts at bd@certik.io

Stay connected!

Website|Twitter|Linkedin|GitHub|CertiK Shield