Runtime Verification audits MultiversX’s Multi Asynchronous Calls

Runtime Verification is pleased to announce MultiversX’s Multi Asynchronous Calls audit completion. MultiversX is a distributed transactional computation protocol that relies on a sharded state architecture and a secure Proof of Stake consensus mechanism.

Audit Scope

At Runtime Verification we have been working with MultiversX for years in different types of engagements as well as being involved in the ecosystem and auditing other projects built on top of the protocol. This time around, we conducted another audit for the protocol with a limited scope focused on the “Multi Asynchronous Calls” feature.

"Multiple Asynchronous Calls," is a feature part of the MultiversX VM (Virtual Machine) scheduled for release in the upcoming v1.5. This feature introduces a new API and a protocol for doing contract-to-contract calls within a multi-sharded blockchain environment. While the previous VM version supports asynchronous calls, the forthcoming iteration expands this capability, presenting a more versatile and less constrained model, allowing making multiple asynchronous calls within a contract. 

To better understand asynchronous calls, we need to take a step back and better understand how MultiversX works and how its design, as a multi-sharded blockchain, enhances scalability and efficiency. Sharding allows for parallel processing of transactions across multiple shards, thereby increasing the overall throughput of the blockchain network. Each shard operates independently, processing its set of transactions, which enhances the scalability of the entire system. In a sharded blockchain, contracts may reside on different shards, and traditional synchronous calls might be limited to interactions within the same shard. However, async calls break through this limitation, allowing contracts to initiate calls to other contracts across different shards. In principle, to make an async call, the caller contract creates an async call using the dedicated API provided by the VM. Additionally, the caller instructs the VM on how to handle the outcome of the async call by providing a callback function. Once the async call concludes on the callee contract's shard, the result is transmitted back to the caller contract, triggering the execution of the specified callback function. This capability enables a more flexible and interconnected ecosystem for smart contracts to interact seamlessly and efficiently across various shards.

Initially, MultiversX had a simple shard-agnostic model of contract-to-contract async calls. This functionality has been actively employed, serving as a foundational element for various decentralized applications and smart contract interactions on the MultiversX blockchain. In the first version of async calls, contracts were limited to making a single async call. Once a contract initiated an async call, its execution was terminated. This limitation prevented contracts from making multiple async calls in a single execution, meaning that a contract cannot initiate more than one cross-shard calls in a single transaction. Despite that, the first version allowed for multi-level async calls, enabling asynchronously called contracts to initiate new async calls.

In the updated second version of async calls, smart contracts gained the capability to initiate multiple async calls during a single execution. This enhancement allows for more complex interactions among contracts across shards. A significant improvement from the previous version, the contract's execution is no longer terminated upon initiating async calls; instead, it can proceed seamlessly. However, the updated model comes with a noteworthy change—it no longer supports multi-level async calls. This trade-off ensures a more straightforward and predictable execution flow.

The evolution from the first version to the second version aligns with the increasing complexity of the DeFi and smart contract landscape on MultiversX. The updated model provides a more sophisticated and flexible approach, allowing contracts to interact across shards in a more refined and shard-agnostic manner, meeting the evolving needs of smart contracts.

The audit scope was limited to the Golang virtual machine source code and the scope of this review is limited to the creation and execution of contract-to-contract asynchronous calls on the MultiversX blockchain. Off-chain, auto-generated, or client-side portions of the codebase, as well as deployment and upgrade scripts, are not in the scope of this engagement. A detailed list of all the contracts, libraries and interfaces audited can be found in the report. 

Methodology

Runtime Verification conducted a manual code review for a period of nine weeks and delivered a detailed report on November 8th, 2023.

The audit starting point consisted of a detailed examination of the design document provided by the MultiversX team. This initial step aimed to understand the new protocol, its objectives, and the proposed changes in the execution model and the VM API (hooks) used by contracts for async calls.

The first step was focused on reviewing the VM hooks responsible for creating async calls. The goal was to confirm that the implementation met the design criteria, ensuring that the updated API allowed contracts to initiate multiple async calls seamlessly.

Following this, the VM code responsible for executing async calls was reviewed. After an initial review, diagrams were created to visualize the workings of the new model. These diagrams served as a basis for discussions with the MultiversX team, helping to establish a shared understanding of the protocol. Simultaneously, a comprehensive case analysis was conducted, exploring various scenarios where multiple contracts utilized async calls. The focus was on uncovering the behavior of async calls in different scenarios, particularly corner cases. The diagrams and outcomes of this case analysis have been documented and are accessible in our GitHub repository.

In the final phase of the audit, a detailed code review was conducted focusing on key aspects like input validation, data serialization/deserialization, and persistency within the VM code related to async calls and contract execution. This thorough examination aimed to ensure a robust evaluation of both high-level design and detailed implementation, addressing potential issues in these critical areas.

Results

The audit identified and highlighted some issues along with some informative findings. Although a formal review of code fixes was outside the scope of the audit, a best-effort review was conducted on some of the code changes.

Readers interested in a more detailed and technical explanation of the findings can go over the full report in our GitHub repository.

About MultiversX

MultiversX is a highly scalable public blockchain via sharding, decentralized through 3200 validator nodes, built to solve the three fundamental problems critical for widespread, global adoption: transition from dial-up to broadband, significant UX paradigm shift, and simplicity of self-custody.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.