The team at byterocket began the audit on 27th September and completed it on the 5th of October, 2021. Xion Global’s audit spanned manual multi-pass code review, automated code review, in-depth protocol analysis and a formal report which was released after the audit was finalized. byterocket accessed the code through our public Github repository.
At the code level, the byterocket found no bugs or flaws except for two low severity ones which were found and fixed before the audit was completed. Further checks with multiple automated reviewing tools like MythX, Slither, Manticore and different fuzzing tools did not reveal additional bugs except for a few common false positives.
The two low severity bugs were discovered on the XGhub and XGWallet functions. The XGhub smart contract is the central contract of the Xion Global architecture. It links to the latest individual modules and serves as the interaction point for important functions. The hub consists of general security functions like pause (), unpause () or setAuthorizedAddress. All of these invoke the same function in every module such that if during an emergency, the multi-sig calls the pause function of the hub, every module will automatically be paused in the same transaction. Pause and Unpause functions for subscriptions and purchases were added to the XGhub code after the audit team advised our developers that they were important
For the low severity bug on the XGWallet contract, which is responsible for implementing all the necessary features related to payments and funds, byterocket fixed the issue of gas costs. With the help of this function, users can deposit stablecoin xDAI and our native token XGT which they can use to pay for goods and services.
Users of the platform can also withdraw the deposited funds at any time. The other modules of the XG contract suite can interact with the wallet to process payments and pay out merchants. byterocket advised our developers to increase the 2850 gas amount to 20,000 gas to prevent a transfer failure. There are a lot of smart contracts or multisig which require more than the previous 2850 gas amount to process transfers.
The XGhub contract size was also over the limit which would have made it impossible to deploy it on the Ethereum Mainnet and some other networks. While it may have possibly worked on xDAI, it would not have allowed future changes to be made. So, we went ahead to implement a few changes just as the audit team advised. The contract was split such that the subscriptions and single-billing functionalities were separated into different contracts. The sizes of both contracts are in kb, several sizes below the limits, which would give room for future upgrades and features.
A team of three auditors from byterocket reviewed our protocol/logic, its implementation as well as documentation. During the review, the team was unable to find any weaknesses in the implementation of the protocol. None of the team’s function calls produced unforeseen results nor was the results skewed in any way. The overall process flow was valid at all times.
The audit team also conducted a testnet deployment to verify the protocol’s implementation functionality. byterocket created two testnets- one, geth-based and the other openethereum-based. None of the results on both testnets varied. The contracts, especially the treasury contract on the platform were run through fuzzing tools and the team did not observe any problems or issues. The contract behaved as expected and reverted correctly, given wrong inputs. Summarily, the manual and automated code review executed by byterocket produced no negative results except for the two low severity bugs which were quickly fixed before the audit was completed. The audit report has been stored on IPFS (Inter Planetary File System), which allows reports to be stored in a distributed network rather than in a single server. So even if our server is down, the audit report can still be accessed.