Runtime Verification audits Swaap's Pool smart contracts

Posted on July 28th, 2022 by Runtime Verification
Posted in Audits

Runtime Verification audits Swaap's Pool smart contracts

Runtime Verification is pleased to announce the completion of Swaap’s Pool smart contracts audit. Swaap is a market neutral Automated Market Maker aiming to minimize the impermanent loss that liquidity providers face by leveraging a combination of oracles and dynamic spread to provide sustainable yields for liquidity providers and cheaper prices to traders.

Audit scope

The scope of the audit is limited to the Solidity source code of the protocol’s Core smart contracts V1. The primary contracts control several liquidity provisions and trading functions. Swaap’s liquidity pool smart contracts allow for multi-asset pools that can bind from two to eight tokens at the same time. Liquidity providers can join the pool of their choice using their assets and receive fees from trades taking place in their pool. Swaap’s Matrix Market Maker aims to lower the risk of impermanent loss that liquidity providers usually face on automated market makers through the use of an external price oracle, which dynamically increases the fees when the price of an asset is volatile, and charges a lower fee when prices are stable.

The audited functionalities included the core contracts controlling the liquidity pools, depositing and withdrawing to single and multi-asset liquidity pools, and trading X token for Y token with applied dynamic fees depending on the liquidity which affects volatility. Also included in the audit was the integration of the external price oracle which is responsible for determining the current state of the market and the computation of the dynamic fees.

The audit only covered the Solidity source code of the contracts and it excluded any deployment and upgrade scripts, off-chain codebase and client-side portions of the codebase. A detailed list of the audited contracts can be found in the report.

Methodology

Runtime Verification conducted a manual code review for a period of nine weeks, and delivered a detailed report on May 27th, 2022.

The first step in the audit process consisted of understanding the Matrix Market Maker (a new model of AMM developed by Swaap), use cases, and business model based on a set of inputs and documentation provided by the Swaap team.

In the second phase of the audit, a minimal abstract model of the protocol was created to capture the most essential properties of the system with respect to providing liquidity and trading. The model served as a communication vehicle and was intended to avoid any misunderstanding of the protocol before the code review phase could begin.

Next, the Solidity source code was compared against the high-level description of the protocol found on Swaap’s Whitepaper. Some areas of discrepancy from the Whitepaper and the code-base were identified, and we worked closely with Swaap to find possible solutions.

Finally, we searched the code-base to identify any known security vulnerabilities that may be exploited. Close attention was paid to any rounding errors that might occur, and potential ways to reduce them were suggested.

Results

The audit identified and highlighted some issues along with a number of informative findings.The Swaap team addressed all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contracts. Code changes were not part of the scope; however, the team conducted a lightweight best-effort review of a limited number of changes.

Users interested in a more detailed and technical explanation about the findings can go over the full report in our GitHub repository.

About Swaap

Swaap.finance is a decentralized exchange (DEX) protocol providing simple, powerful financial products that introduced the Matrix Market Maker (MMM) system. It is a stochastic, asymmetric, oracle guided, multi-asset constant geometric mean product market maker, and has been thought to address today’s most faced problems in DEXes relying on liquidity providers, namely: impermanent loss, market risks, and asset management complexity.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.