Vega Protocol Security Review: Ethereum side Smart Contracts of the Ethereum bridge to Vega
BTblock has partnered with Vega to conduct a Code Review and a Security Assessment for the Ethereum side Smart Contracts of the Ethereum bridge to Vega. The bridge consists of a smart contract per asset class and a generic asset pool. When a user wants to deposit or withdraw collateral into a Vega network, they use an approved ERC20 token to the ERC20 bridge contract for the appropriate network.
This launch of decentralized derivatives on Vega is a significant event for the broader cryptocurrency ecosystem. It is likely the first network to create a purpose-built blockchain allowing for permissionless market creation and trading of margined derivatives. Markets will be open and decentralized, with pseudonymous participants.
What is Vega?
Vega innovates with its built-in liquidity incentives to match traders and market makers across any financial product to solve the problem of attracting and allocating market-making resources, especially for long-tail markets. Any participant will be able to easily create and launch markets pseudonymously by using a toolkit of product features and economic primitives. All cash flows and settlement instructions can be easily specified using this toolkit.
The Protocol will eventually connect to all significant blockchains for collateral, which can be in any digital asset, including Bitcoin, ERC20 tokens, and stable coins.
By aiming at the fundamental problems with the current centralized financial system, Vega aims to create a parallel system that fixes those problems by writing rules for rewards and incentives that balance the design, keep it fair, and help it grow.
The Vega protocol will eventually be free and open-source software, governed by the community, so that it can develop and evolve with the needs of its users.
The BTblock Process
When BTBlock performs an assessment, we focus on the code committed at a specific time when the code base is feature complete. Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
In reviewing solutions such as Vega, we review a threat assessment of possible exploits of the system. Still, we review the code, program authentication scenarios and all components, and fund loss scenarios. This review met our requirements for an effectively implemented product in all situations, including resolving any findings we uncovered.
Findings & Report
During the Security Assessment for the Ethereum side Smart Contracts of the Ethereum bridge to Vega, we discovered:
• 4 findings with a MEDIUM severity rating.
• 1 finding with a LOW severity rating.
NOTE: The VEGA team quickly resolved any findings to our satisfaction
Smart contracts provided by Vega enable Ethereum users to stake ETH and ERC20 tokens in asset pools. A signatures threshold mechanism approves access to the pools' assets and governance. The contract responsible for verifying signatures met all security requirements, missing a couple of edge cases. We did not find any critical fund-loss weaknesses, and the team quickly resolved any findings in the code to our satisfaction before deployment. In general, the code was clear and very well documented.
The original BTblock report can be found below:
The updated BTblock report can be found below: