Audit of Allbridge Estrela

Introduction

Allbridge Core enables users to transfer dollar-pegged tokens ("stablecoins") between different blockchains. As of today, their smart contracts manage over $38 million locked across the chains they support. To transfer funds across different blockchains, there needs to be a liquidity pool (i.e. locked stablecoins) on both ends of the transfer. On the sending end, the pool determines the exact value of the tokens to bridge, and this value is subsequently converted back to stablecoins on the receiving end by the other endpoint's pool.

To determine the exact value of stablecoins, Allbridge Core uses a partial automated market maker (AMM) integrated into their endpoints. AMMs are built to maintain an invariant at all time, representing the actual value of all locked assets. This invariant lets the market maker always provide a price for its assets. As they deal with stablecoins, Allbridge's implementation uses the StableSwap invariant.

Earlier this year, leveraging our experience with the newly deployed Soroban smart contract platform, we audited the Soroban endpoint of their bridge. Soroban is Stellar's smart contract platform, recently deployed on their mainnet, that we also audited for the Stellar Development Foundation.

Allbridge then decided to extract the partial AMM from their bridge and make it a fully fledged AMM for Soroban, supporting binary pools of stablecoins, called Estrela. They tasked us to assess the security of their implementation. Our report is available on Allbridge's website.

Scope

The audit mainly focused on the implementation of the pool smart contract, implemented in Rust for Soroban, handling transfers between two specific stablecoins. We also audited the supporting factory smart contract, able to deploy new pools for new pairs of stablecoins.

The source for these smart contracts is available on GitHub: allbridge-io/dex-soroban-contracts.

Findings

The table below summarizes the findings of the audit. A total of 7 issues were found, with 1 ranked high severity.

ID	Title	Severity	Perimeter
HIGH-1	Integer overflow when depositing liquidity can lead to loss of funds if the pool is configured with a high enough amplification factor (A >= 121)	High	Pool (get_d)
LOW-1	Admin can update the factory source code (centralization risk)	Low	Factory
LOW-2	Admin can update the pool source code (centralization risk)	Low	Pool
INFO-1	Excessive pool creation can lead to a Denial of Service	Info	Factory
INFO-2	Integer overflow in internal function (unreachable)	Info	Both (cbrt)
INFO-3	Full fees on liquidity withdrawal	Info	Pool (get_withdraw_amount)
INFO-4	Code duplication for sending rewards	Info	Pool (claim_rewards, get_pending and get_reward_debts)

Allbridge fixed the high severity issue (HIGH-1), the DoS risk (INFO-1) and code issues (INFO-2 and INFO-4).

They acknowledged the centralization risk (LOW-1 and LOW-2) and plan to address it by developing a cross-chain DAO in their 2024 timeline. They stated that issue INFO-3 is intended behavior to prevent users from swapping tokens by performing a deposit and a withdrawal rather than a swap.

Technical takeaways

In Rust, integer overflows are checked at runtime in debug mode, and also in release mode if the profile.release.overflow-checks = true configuration option is set.

However, when using ethnum::U256, the check is not performed, which led to the high severity issue.

Conclusion

Leveraging their experience with the Allbridge Core endpoint for Soroban, Allbridge developed Estrela with the same great level of code maturity and sophistication. They promptly reacted to our findings and responded in a satisfactory manner.

Quarkslab had a successful collaboration with Allbridge with the help of the Stellar Development Foundation and participated in securing a key component of the ecosystem. During the audit, this evaluation unveiled one high severity issue. Going forward, we strive to continue pursuing our mission of advancing security in the Web3 ecosystem.