From December 4, 2023, to January 10, 2024, QuillAudits conducted an extensive smart contract audit to secure Taiko Protocol’s ZK-Rollup bridge. Our collaboration emphasized auditing Taiko Protocol‘s ZK-Rollup bridge, crucial for secure blockchain transactions. The comprehensive analysis led by QuillAudits’ team of experts revealed 15 vulnerabilities, ranging from critical to informational. These vulnerabilities posed significant risks to the platform’s security and the safety of its user’s assets. The audit showcased QuillAudits skill in tackling security challenges, reinforcing our commitment to safeguarding smart contract integrity.
After the audit, the final smart contract audit report, published on January 11, 2024, details the resolution of vulnerabilities in Taiko Protocol’s ZK-Rollup bridge. It showcases QuillAudits systematic approach in enhancing security, emphasizing the balance between functionality and Zero Knowledge proofs’ complexity. QuillAudit’s security audit elevates blockchain, showing deep understanding and enhancing secure & efficient Layer 2 solutions for Ethereum.
QuillAudit’s In-Depth Security Analysis of Taiko’s ZK-Rollup Bridge
In QuillAudits’ comprehensive security evaluation of Taiko’s ZK-Rollup Bridge, several critical vulnerabilities and areas for improvement were identified. These measures aim to enhance the system’s integrity and user safety. Firstly, issues with token recalls across chains were spotlighted due to incorrect mapping validations. This necessitated the use of ‘canonicalToBridged’ mapping and chain ID checks for accurate token processing.
Additionally, the risk of users losing fee funds through unchecked token transfers was addressed. This was done by recommending the adoption of SafeERC20 wrapper functions for secure transactions.
The analysis further uncovered a significant flaw in the decoding logic within ‘onMessageRecalled’. This could lead to irreversible fund losses, calling for an urgent correction in decoding practices to ensure the precise extraction of token and amount details.
The assessment also exposed risks from unchecked arbitrary data calls, potentially bypassing crucial security measures. It proposed the implementation of a receive callback interface for enhanced validation.
The potential for unauthorized execution on protocol contracts was mitigated by advising the addition of restrictions on ‘processMessage()’ calls. To combat the misuse of bridge transaction calls, it was recommended to limit ‘processMessage()’ functions to intended operations only. This narrowing down of attack vectors helps in enhancing security measures. The use of ‘encodeWithSelector’ was critiqued for lacking argument type safety. A shift towards ‘encodeCall’ for message data generation was advised for better security.
Token transfer and minting inefficiencies were identified; batch methods were recommended for enhanced efficiency in processes, addressing looping concerns. The analysis cautioned against single-step ownership transfers in OwnableUpgradable due to the high risk of losing control. It suggested the more secure Ownable2StepUpgradable mechanism instead.
Unsafe ERC721 operations were identified as a risk for permanent NFT loss, urging the use of ‘safeTransferFrom()’ and ‘safeMint()’ for compliance and security. The inconsistency in gap sizes across contracts was noted as a maintenance hurdle, with a call for standardization.
Misleading comments in the codebase highlighted the importance of accurate updates. Advised against using assert over require for better error handling in deployment code. Suggested checking address equality to reduce redundancy and save gas. Unused errors and events were identified as clutter, recommending streamlining for efficiency.
QuillAudit’s analysis emphasizes the need for these enhancements to strengthen Taiko’s ZK-Rollup Bridge’s security and functionality.
Taiko Protocol Gears Up for Mainnet Launch
Taiko’s Katla testnet, launched in January, boasts 1.1M wallets and 13M transactions, evolving since 2022. Taiko plans to launch its mainnet by the second quarter of this year,Terrence Lam said. He also added. We definitely need to upgrade our Katla testnet to enable support for EIP-4844. Taiko plans to expand its team, which is currently 40 strong, by hiring in various areas like engineering and community growth.
About TAIKO Protocol
Taiko Protocol is a decentralized Layer 2 blockchain protocol that uses a Zero Knowledge Ethereum Virtual Machine (ZK-EVM) to scale Ethereum while maintaining its core properties of decentralization, security, and compatibility. It is designed to be Ethereum-equivalent (Type 1 ZK-EVM), which means it is fully compatible with Ethereum and offers a seamless developer experience. Taiko Protocol has three stages: block proposal, validation, and proving. It is fully open-source, using the MIT license, and aims to be a secure and decentralized L2 for Ethereum.
