CertiK Audits Three RioDeFi Modules and Performs a Pen Test For RioWallet

CertiK | Sept 2, 2020

Article's Poster

RioDeFi, a DeFi infrastructure platform, aims to accelerate the adoption of digital assets by bridging traditional and decentralized finance. This is done by developing solutions that connect businesses, financial Institutions, and banks with distributed ledger systems.

At the core of RioDeFi is RioChain. All applications built on RioChain enable lower transaction fees, faster confirmations, more efficiency, and a greater global reach. The characteristics of this chain include:

  1. Interoperability: RioChain is a public Blockchain built on the Parity Substrate framework and fully compatible with the POLKADOT network.
  2. Connectivity: RioWallet provides access to payment systems and allows users to withdraw fiat off their crypto accounts
  3. Liquidity: RioDeFi bridges centralized and decentralized financial systems and can facilitate cross-chain transactions.

CertiK was excited to work with the RioDeFi team to examine issues and vulnerabilities in the source code of their system within the scope. A comprehensive audit examination has been performed, and a penetration test on RioWallet.

Audit Review and Pen Testing Summary

CertiK team was contacted by the RioDefi team to audit the design and implementations of the to be released as a Substrate based system. The audited modules include:

  1. RioBridge
  2. RioAssets
  3. RioRuntime

The goal of this audit is to review RioDeFi implementation for its business model, study potential security vulnerabilities, its general design and architecture, and uncover bugs that could compromise the software in production. The process paid special attention to the following considerations:

  • Reviewing the security and implementation soundness of the Rio Runtime, Rio Assets, and RioBridge
  • Assessing the codebase to ensure compliance with current best practices and industry standards
  • Ensuring systems logic meets the specifications and intentions of the client

Additionally, CertiK performed an application penetration test for the RioDeFi mobile wallet application. The main objective of the penetration test was to test the overall resiliency of the application to various real-world attacks against the application's controls and functions. Thus, RioDeFi would be able to identify its weaknesses and provide recommendations to fix and improve security posture.

Findings and Processes From Testing

Regarding the audit, the codebase makes good use of the framework specifics and Rust’s best practices. CertiK’s team of engineers found only some minor exceptions, which were swiftly fixed by the team in complete.

The engineers stated, “Regarding the implementation of the privileged functionality handling and secure design around the framework with proper parameterization, the codebase was found to respect the frameworks specifications and be in alignment with the intended functionality as modules.”

Regarding the penetration test, CertiK tested it against different mobile vulnerabilities including OWASP Top Ten. A white box type of testing approach was done where CertiK performed the test within the source code available from the shared Github repository. The initiative of RioDeFi to perform these tests show their appreciation and value for security.

Audit Security Recommendations

In addition to the functionality, the team recommends improvement in the documentation of the codebase. Although some parts were well documented, others lacked proper documentation. Additionally, all documentation regarding the project, readme’s, comments, whitepapers, yellow papers should have an english version. Given the experience with the RioDeFi team, CertiK is confident that the documentation will be updated and fully in place for mainnet release.

CertiK strongly advises all projects undergo strict unit testing on the complete codebase to ensure that the intended functionalist and outcome is achieved under all edge cases even before the audit. Strict unit testing will ensure that the code is of the highest quality, and will make all the audits more valuable.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.