🔐 Audit Report

HashCloak Inc. conducted a security audit of Spark, a decentralized exchange (DEX) built on the Fuel blockchain. The audit revealed generally high-quality code but identified several areas for improvement, ranging from medium to informational severity.

Key Findings:

• Medium Severity:

  1. Storage Update Issue: increase_user_volume function failed to persist changes, affecting protocol fee computation. (Resolved)

  2. Front-Running Vulnerability: Matching orders could be front-run, potentially undermining fairness. (Acknowledged)

• Low Severity:

  1. Lack of restrictions on order input length in functions like match_order_many could lead to gas exhaustion. (Informed)

  2. Incorrect handling of GTC orders in fulfill_order_many led to unintended cancellations. (Resolved)

• Informational Severity:

  1. Lack of documentation impedes auditability and maintenance. (Unresolved)

  2. Dead code and unused imports found in multiple places. (Partially resolved)

  3. Misleading function naming (log_order_change_info) suggests logging but doesn’t emit events. (Acknowledged for renaming)

  4. Redundant require statement in order_id function. (Unresolved)

Audit Methodology:

• Static analysis using tools like sway-analyzer.

• Manual code review.

• Functional tests using Spark’s CLI and Fuel testnet deployment.

Severity Breakdown:

• Critical: 0

• High: 0

• Medium: 2

• Low: 2

• Informational: 4

Recommendations:

1. Enhance documentation for better clarity on functionality and fee structures.

2. Address identified vulnerabilities, especially around front-running and input validations.

3. Remove or refactor dead code and redundant checks.

4. Improve clarity in function naming and ensure all significant actions emit appropriate logs.

Resolution Status: The Spark team has fixed all identified issues following the audit, ensuring the security and robustness of the protocol.

Full Report: Users can read the full report at the following link: