Zellic’s Audit of Radix Code | Radix Blog

The security analysis company Zellic has finalized a thorough, 33-week assessment of the Radix codebase, concentrating on safety of assets, security in architectural design, and operational continuity. Their results were highly positive, identifying only six issues, with none categorized as high or critical. All but one of the identified concerns were addressed promptly prior to the audit’s completion.

The team at Zellic initially harbored doubts regarding the innovative Radix security model, which departs from the typical pattern where authorization originates from the caller, opting instead for a badge-based, unified security approach. However, as the audit progressed, they recognized the design’s flexibility and resilience; they ultimately praised its straightforwardness, acknowledging that it effectively prevents many subtle bugs encountered in other networks.

Audit Methodology

Zellic possesses substantial expertise in evaluating Layer 1 and Layer 2 solutions, including EVM and other platforms like Aptos, Sui, Solana, Berachain, LayerZero, and Cosmos. Their audit strategy is methodically organized to identify:

• Programming errors – these are prevalent sources of vulnerabilities, not stemming from the overall design or structure but rather from ordinary bugs that can lead to severe consequences.
• Architectural vulnerabilities – these arise from fundamental system features and assumptions.
• Mathematical errors – issues that can occur during calculations, such as overflows, underflows, incorrect rounding, and precision loss.
• Implementation vulnerabilities – risks tied to turning the overall design into layered, interconnected code implementations.
• Operational issues – these can lead to disruptions in system liveness, often due to unhandled errors, unbounded calculations, or consensus failures from non-deterministic behavior.

Findings

Overall, Radix excelled in its audit, with the team consistently impressed by its defense-in-depth strategy and robust ownership guarantees. The auditors often anticipated being able to execute unauthorized actions by fabricating scenarios to bypass expected higher-level access checks, only to find it impossible due to the architecture’s refusal to trust higher layers.

The architecture also stood resilient against attempts to create operational lapses through inventive panic-inducing scenarios; the layered design effectively contained any user code issues, with rigorous testing confirming that all panics were managed safely and correctly.

The majority of discovered issues pertained to operation fee calculations, permitting a knowledgeable attacker to extend network validation time beyond what their transaction cost in XRD would normally allow. These were swiftly resolved through adjustments to the fee structure.

Additionally, an issue regarding subgroup membership checks in BLS signature aggregation within Scrypto was noted, where the subgroup verification for the initial signature was neglected. While appropriate checks were in place during the aggregate verification process, and no practical exploit was demonstrated, this incorrect behavior was promptly rectified.

Praise for the Resource and Badge Systems

The auditors from Zellic were quick to acknowledge the native resource model of Radix as a remarkable characteristic, highlighting its ability to facilitate the execution engine in upholding invariants while eliminating potential bugs associated with token management across various networks, both in the system and at a smart contract level.

They expressed admiration for how smoothly this integrated into the badge-based security model, declaring, “It is an exceptionally clean and straightforward system, making it tremendously challenging to introduce access control issues through user error.” They specifically commended the access control framework, focusing on the native Account component:

A significant aspect of Radix’s approach is that access control is inherently built-in. For instance, each account is created based on the native accounts blueprint, with its underlying logic restricted to what this blueprint encompasses. This design ensures that security protocols—like preventing unauthorized access to accounts—are enforced at the blockchain level, making it impossible for user error to lead to implementation issues.

In contrast, establishing smart accounts on Ethereum necessitates the use of user-defined smart contracts (such as ERC-4337) along with off-chain entities to facilitate transactions for these accounts. Additionally, since smart contracts do not inherently possess access control logic, developers must manually incorporate such measures within the smart account system.

Praise for the Security and Ownership Systems

The straightforward framework of single ownership paired with strong security assurances received consistent commendation throughout the audit. The auditors found themselves able to eliminate whole categories of common flaws, given their impracticality within the Radix architecture.

In the audit documentation, they illustrated that, while safely coding and validating flash loans could be problematic on other networks, “in Radix, it becomes a simple exchange of resources, with clear intent and security assured by the ownership rules.” They further stated, “This principle is evident throughout Radix across all implementation levels. Even fundamental features like resource management rely on these ownership guidelines instead of complex invariant checks…simple rules yield robust security.”

This audit was a notably thorough review process, with the Zellic team swiftly grasping the unique architecture and principles of Radix. Throughout the audit, they provided continual communication, addressing queries promptly and offering daily updates. All discoveries were reported immediately, facilitating rapid resolutions. Both teams enjoyed the collaboration, diving into and rigorously testing the architectural decisions associated with the Babylon release.

Similar to the previous audit by Hacken, a highlight was witnessing the auditors’ initial skepticism gradually evolve into genuine admiration for the design and implementation.