Runtime Verification Audits Band Protocol’s Rust Implementation of the Band StandardReference Soroban Smart Contract

Posted on March 29th, 2024 by Runtime Verification
Posted in Audits

band protocol.png

Runtime Verification is pleased to announce the audit completion of Band Protocol’s rust implementation of the Band Standard Reference Soroban Smart Contract. Band Protocol, built on top of Cosmos, is a cross-chain data oracle platform that aggregates and connects real-world data and APIs to smart contracts.

Audit Scope

Band Protocol is a cross-chain data oracle built on top of BandChain, a Cosmos-SDK based blockchain. The exact scope of the audit was the rust implementation of the Band “StandardReference” Soroban Smart Contract. The contract provides functionality for querying prices (reference data) of supported symbols from BandChain into the Soroban mainnet, part of the Stellar network. Thanks to this integration, Stellar users will be able to query prices from the assets listed and provided by the Band Oracle. The Oracle integration is secured and monitored by the Band Protocol team, which provides support by regularly updating the storage of this smart contract with the symbols and prices of assets on BandChain. This enables Soroban/Stellar users to query the prices of these assets.

The contract identifies three roles, each with its functionalities: Admin, Relayers and Users. The main function of an “Admin” is to decide and assign which addresses have the right to become “Relayers.” Once the protocol’s “Admins” have chosen its “Relayers”, those will be in charge of updating storage with asset Symbols and their prices from the BandChain. Finally, we have “the Users,” who will be able to read the stored symbols and prices in two ways: directly as RefData, or by comparing the prices between two symbols as ReferenceData.

Methodology

Runtime Verification conducted a manual code review for a period of 2,5 weeks and delivered a detailed report on  February 19th, 2024.

One of the first steps in the audit process consisted of a thorough reasoning of the business logic of the protocol. During this process, a call graph of the contract was made to understand the flow that the methods and functions can take and how they interact with the rest of the protocol.

The second step our auditors took was to start specifying the functionalities of the contract in mathematical/formal methods notation. During this process, a series of flow graphs were made, including interesting external functions our team identified and some of the most tricky-to-understand Soroban / Stellar functions related to storage rent.

After the specifications were conducted, a series of tests were written to examine some scenarios where a vulnerability could be present in the system and most specifications were proved to be correct conducting WP reasoning. 

The finalphase of the audit involved identifying potential invariants within the protocol. These were then shared with the Band team to confirm their applicability across the entire system and to prove them against the actual protocol.

Results

The audit identified and highlighted some issues along with some informative findings. Although a formal review of code fixes was outside the scope of the audit, a best-effort review was conducted on some of the code changes.

Readers interested in a more detailed and technical explanation of the findings can go over the full report in our GitHub repository.

About Band Protocol

Band Protocol is a cross-chain data oracle platform with the aspiration to build high-quality suites of web3 development products. The flagship oracle solution aggregates and connects real-world data and APIs to smart contracts, enabling smart contract applications such as DeFi, prediction markets, and games to be built on-chain without relying on the single point of failure of a centralized oracle.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.