by Stéphane Coquet
Trail of Bits Completes Independent Third-Party Audit of Atlendis V2 Smart Contracts
This article describes the audit results and Atlendis Labs’ response to the comments in the audit report.
Atlendis Labs is pleased to announce that security research firm Trail of Bits has completed an independent third-party audit of the Atlendis protocol V2’s smart contracts. The audit was conducted between February and March 2023. The testing efforts focused on identifying issues that would result in attackers stealing funds, or abusing the arithmetic in the products. The Trail of Bits team was given access to source code and documentation, and performed static and dynamic testing of the target system, using automated and manual processes.
This article describes the audit's methodology and Atlendis Labs’ comments on the audit report.
Overview and Scope of the Project
Atlendis Labs engaged Trail of Bits to undertake a security audit Atlendis’ V2 Loans and Revolving Credit Lines products smart contracts. Trail of Bits particularly emphasized their efforts on verifying the implementation of these products compared to their specifications, and on the different calculations and precision issues that were frequently encountered during development.
For that matter, Trail of Bits conducted the audit with full knowledge of the target system, including source code and extensive documentation. They performed static analysis, manual review, and fuzz testing of Atlendis V2’s Solidity components.
In the audit, Trail of Bits identified 25 findings ranging from “High” to “Informational” severity. A summary and details on notable findings are classification methodology of the findings is provided in the full audit report.
Trail of Bits found in particular that the codebase was complex, some areas lacking data validation, not respecting the provided specifications, or handled calculations in a way that could be detrimental to users because of an insufficient handling of precision in the arithmetics used.
Even though most of these findings, and in particular the most critical ones, were resolved and reviewed in a dedicated fix review, Trail of Bits had follow up recommendations for further actions to be taken against the code base.
In particular, Trail of Bits advised Atlendis Labs to complete and extend the testing of the contracts, to better handle arithmetics imprecision, to simplify the contracts architecture, and finally to validate further structural changes with another independent audit.
Atlendis Labs’ Comments
The Atlendis Labs team was satisfied with the analysis and recommendations made by the Trail of Bits team, given the time constraint of the audit and the complexity of the code. Before the audit started, the Atlendis Labs team had been working tirelessly to deliver a feature complete and functional set of contracts, even though the schedule of the audit was tight.
As a consequence, some questions were still pending when the audit started, and in particular some testing work was not totally complete. Trail of Bits had to audit a codebase that was not mature at the time.
The Atlendis Labs team worked hand in hand with Trail of Bits to best cover the smart contracts’ scope, and ensure a prompt resolution of the findings. The Atlendis Labs team also noted and acted on Trail of Bits’ further recommendations. After the audit ended, it was clear that the code was not ready to be deployed. The Atlendis Labs team then spent an additional 6 weeks of work to address the findings, complete the testing of the smart contracts, and rework the overall architecture of the contracts, before another audit was led by a second independent external auditor.
The Trail of Bits audit was a structuring step into the deployment to production of Atlendis V2 smart contracts, and with the auditors’ help, the Atlendis Labs team could improve the protocol security.
Read the audit report here.
Atlendis Labs is grateful to have worked with the Trail of Bits team on this audit, and Atlendis appreciates the team's thorough and conscientious research.
Atlendis is a capital-efficient credit protocol connecting DeFi with real-world use cases. Atlendis fills the gap that traditional finance (TradFi) has not been successfully able to cover. Leveraging blockchain technology and open banking, Atlendis enables Fintech and institutional actors to open dedicated liquidity pools and access one-time loans and revolving lines of credit, thus facilitating alternative financing for the growth and development of SME and startup customers across the globe. Atlendis makes it possible for any lender to control their portfolio while earning sustainable yield and making a meaningful impact helping real-world businesses.
About Trail of Bits
Founded in 2012 and headquartered in New York, Trail of Bits provides technical security assessment and advisory services to some of the world’s most targeted organizations. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code. With 100+ employees around the globe, we’ve helped secure critical software elements that support billions of end users, including Kubernetes and the Linux kernel.
To keep up to date with our latest news and announcements, please follow @trailofbits on Twitter and explore our public repositories at https://github.com/trailofbits. To engage us directly, visit our “Contact” page at https://www.trailofbits.com/contact, or email us at firstname.lastname@example.org.
Co-Founder & CTO
Stéphane Coquet is a Co-Founder and CTO of Atlendis Labs. Stéphane started his career in consulting, and quickly switched to developer roles in the digital marketing field. He then fell down the blockchain rabbit hole and figured that since he already spent the majority of his time exploring the Ethereum blockchain ecosystem, he might as well make it his day job. He joined ConsenSys as a software engineer and worked on several global projects, helping institutions build private blockchain consortia to change the rules of their respective industries. He aspires to build a more open and inclusive financial system, but this time on the public side of the chain. Stéphane is a graduate of the Ecole Polytechnique and Ecole des Mines de Paris.