search
Ctrlk
WebsiteTwitterDiscordYoutube

Security

This page contains Arrow's audit history, security architecture considerations and attack attempt history.

hashtag
Audits

file-pdf
188KB
Dedaub Audit.PDF
PDF
arrow-up-right-from-squareOpen
Jan 17th, 2022
file-pdf
447KB
Arrow Markets - Final Report.pdf
PDF
arrow-up-right-from-squareOpen
April 25th, 2022
file-pdf
1MB
Arrow_Markets_V2_Security_Review_Final_Report.pdf
PDF
arrow-up-right-from-squareOpen
Jan 29th 2024
file-pdf
750KB
Security_Review_Arrow_Token.pdf
PDF
arrow-up-right-from-squareOpen
March 14th 2024
file-pdf
817KB
Arrow_Markets_Staking_Security_Review.pdf
PDF
arrow-up-right-from-squareOpen
June 11th 2024
file-pdf
620KB
SECURITY REVIEW ARROW DISTRIBUTION.pdf
PDF
arrow-up-right-from-squareOpen
September 14th 2024

hashtag
Security Architecture

Security is a top priority for Arrow. Our smart contract architecture is stratified. Our hybrid architecutre avoids a P2Pool model which are the primary targets for DeFi attacks. However, we have a dedicated contract (UserFundsManager) which acts as a middleman that facilities options transaction for buys and sell, transferring the funds from the buyer to the seller on purchase. There are multiple layers of redundancy ensuring the FundsManager is secure.

Arrow contracts do not hold any user funds at any moment throughout any transaction. User must approve a set amount of funds for the UserFundsManager to be able to move the funds, which are then transferred directly between users and market makers.

It is important to never give unlimited approval to any contract including ours and only approve an amount you are willing to risk if the approval fund is not immediately used.

hashtag
Attack attempts

hashtag
October 14th 2024:

Background: Our FundsManager contract uses a proxy-delegate structure for upgradeability, specifically the OpenZeppelin UUPS pattern. This means a shell "proxy" contract is deployed at an address that stays fixed for the lifecycle of the contract suite, and an implementation or "delegate" contract is deployed at a separate address that the proxy contract points to. Upgrades work by deploying a new delegate and updating the pointer address in the proxy. When an upgrade happens, an initialize function has to be called to set the contract router and other state variables. Initialize is only called once, and a boolean is set to True to enforce that.

What Happened: During our last upgrade, we included new state variables, inadvertently moving the slot for the initialize boolean. The resulting slot had a value of 0. This allowed an attacker to call the initialize function and insert a malicious contract address in place of our Router. Subsequently, they were able to get around access modifiers in the FundsManager by supplying their own Registry contract address using their malicious Router address. Finally, with this access, they deployed a malicious delegate contract and gained access to any funds that had been approved to the FundsManager proxy, which was 277 USDC. We discovered this almost immediately and shut down the app and notified the affected parties.

Fix: We have deployed new FundsManager proxies and implementations and rewired the frontend and Registry` contracts accordingly. We have shored up our upgrade protocol to include a series of automated checks so the upgrade will fail if any state variables change location. We have also added access modifiers to the initialize functions. Drained funds were returned.

Diagnosis: This is not a weakness of the architecture per-se, but rather a weakness in our upgrade protocols which have now been shored up. We've had multiple audits and work closely with our auditor on an ongoing basis. Because of the modularized components and because it is p2p/p2MM rather than p2pool, Arrow's architecture is much harder to hack than conventional DeFi applications.

PreviousRebatesNextConnect your Wallet

Last updated