Soroswap.Finance, the first Decentralized Exchange to be live on the Soroban Smart Contract Platform, has been a remarkable project for the PaltaLabs 🥑 team. It’s designed to let users provide liquidity, swap, and remove liquidity for their native Soroban token or their favorite Stellar Classic Assets.
From its inception as an MVP developed for the Soroban Hacka-Soroban-athon in January 2023 (awarded 3rd place 🥉🎉) to its recent mainnet launch on March 11th, 2024, Soroswap.Finance has undergone significant evolution. Central to this journey has been our partnership with OtterSec, the audit company that played a pivotal role in enhancing the security and integrity of our Smart Contracts.
Hi there! I’m Esteban Iglesias (@esteblock on Discord, Telegram and Github, @esteblock_dev on X/Twitter), the Founder of Soroswap.Finance and PaltaLabs. In this blog post, I’ll take you through our audit experience, share the lessons we learned, and highlight how OtterSec and the Stellar Audit Bank helped make Soroswap.Finance a more secure protocol.
All starts at Meridian 2023:
During the recent Stellar Annual conference Meridian 2023, that was held in Madrid, the Stellar Development Foundation announced the “Audit Bank”, an initiative that would help by providing funding to projects to receive an audit with select security firms.
Old Phrase
As Soroswap.Finance was already funded by the Stellar Community Fund (now up to XLM 1,626,833.25, which is about 296k USD), it quickly got selected. However, even before we knew about this, with the rest of the PaltaLabs team, we had the pleasure of meeting Christian Cuffari from the Ottersec team in an informal situation. This is how real connections begin!
New Phrase:
As Soroswap.Finance had already received funding from the Stellar Community Fund (now totaling 296k USD!), it was quickly selected for the audit program. Interestingly, even before we were aware of this opportunity, the PaltaLabs team had the pleasure of meeting Christian Cuffari from the Ottersec team in an informal setting. This is where real connections are made!”
The face-to-face interaction added a personal touch to our professional relationship. Following this, we established communication channels, organized calls, and ensured our repository was up to date, marking the commencement of the audit process.
Preparing for the Audit: A critical aspect of the audit process was ensuring that all features were finalized before it started. Setting the “commit hash” of the Soroswap.Finance `core` repository was crucial to prevent any future additions from impacting the security of the entire contract without approval from the audit team.
Improving Unbounded Data Storage in Soroban
Ottersec played a vital role in identifying 3 vulnerabilities and 3 general findings during our audit process. Among these, only one vulnerability was categorized as high, relating to unbounded data storage — an intricate aspect within Soroban.
Unlike other Blockchains where data remains indefinitely, Soroban handles data storage in a more efficient manner. This distinction allows for the creation of Temporal Types of Data, offering flexibility in data retention. With Soroban, you no longer need to store everything forever in the Blockchain. Instead, you have the option to store small or unbounded data, with a correct approach for each.
Through collaborative efforts and simulations, Soroswap.Finance successfully implemented optimal design patterns for unbounded data storage, mitigating potential risks associated with DoSÂ attacks.
This aspect of the audit process was particularly engaging and fun 🎉! , as it involved continuous communication with Andreas Mantzoutas from the OtterSec team, conducting DoS attack simulations 🤓, and sharing insights in my blog post titled “Costs, DoS Risks, and Instance vs. Persistent Data Types in Soroban.”
In fact, instead of just pushing an element into a vector, you create a variable DataKey, and then store every element in an independent storage slot, like the the following code example:
pub enum DataKey { StoredAddresses(u32)}
…
env.storage().persistent().set(&DataKey::StoredAddresses(index), &address_to_store);
Token Safety in Soroswap.Finance
A notable finding during our audit journey was about the interactions with unknown tokens. I initiated a discussion thread in the Stellar Discord Channel, encouraging dialogue on this topic. This led to valuable lessons and improvements, such as the Freighter Wallet team implementing a feature to preview subsequent transactions, including token transactions. In response, the Soroswap.Finance team initiated the token-list repository, ensuring a curated list of known tokens for enhanced user safety and convenience.
Reflecting on the Journey:
In conclusion, the audit process not only enhanced the security of Soroswap.Finance but also provided a valuable learning experience for our team and the whole community!. Our journey with OtterSec was characterized by open communication and collaboration, reaffirming the significance of partnerships in achieving shared goals.
I invite you to also consider undergoing your own audit for your projects! Together, we can continue to elevate the standards of security and reliability in the blockchain ecosystem.
Please follow Soroswap.Finance!
- Github: https://github.com/soroswap
- X / Twitter: https://twitter.com/SoroswapFinance
- Official Website: https://soroswap.finance/
- Docs: https://docs.soroswap.finance/
- PaltaLabs Website: https://paltalabs.io/
- PaltaLabs X/Twitter: https://twitter.com/PaltaLabs
- My X/Twitter: https://twitter.com/esteblock_dev
Securing Soroswap.Finance: Our Journey with OtterSec was originally published in Stellar Community on Medium, where people are continuing the conversation by highlighting and responding to this story.