Documenting the external audit of the smart contract

[loredanacirstea]

Scope:

• RaidenMicroTransferChannels contract: https://github.com/raiden-network/microraiden/blob/master/contracts/contracts/RaidenMicroTransferChannels.sol
• MicroRaidenEIP712Helper contract: https://github.com/raiden-network/microraiden/blob/master/contracts/contracts/MicroRaidenEIP712Helper.sol
• ECVerify library: https://github.com/raiden-network/microraiden/blob/master/contracts/contracts/lib/ECVerify.sol
• Token.sol: https://github.com/raiden-network/microraiden/blob/master/contracts/contracts/Token.sol

Outcome:

1. redundant: either token or token_address, isToken, prefix
   fixed in Remove isToken, prefix, token_address #196

Reviewed version for issues below: https://github.com/raiden-network/microraiden/tree/81920e4162da8b00ba54212de619668d42c11120

2. tl;dr In this contract, the sender needs to fully trust the owner.
   Owner can be malicious / his account can be compromised and change MicroRaidenEIP712Helper.getMessageHash by deploying another contract with malicious code and changing the address in RaidenMicroTransferChannels with setEip712HelperContract.

Possible scenarios:

• getMessageHash is changed -> channels are locked, because the sender's signature from _balance_msg_sig cannot be recovered.
• owner colludes with 1 or > receivers to modify the function so that they can get more tokens out of the channels than they are owed (amount of tokens limited by the actual channel deposit)

The receiver can use any hash of a signed message from the sender, to be returned in a hardcoded way in the EIP712 helper.

(e.g. : in RaidenMicroTransferChannels.cooperativeClose -> verifyBalanceProof, getMessageHash can return the hash corresponding to _balance - 100 instead of _balance. This means the receiver can provide an authentic _balance_msg_sig with balance = _balance - 100, but use _balance as an argument for cooperativeClose.)

Possible solution:

Adding a function to change the owner would be important. Specially if the owner address gets compromised.
I would put another role. eip712updater so you can set it to 0x0 when the eip712 standard is stabilized. And still maintain the option to setLatestVersionAddress. Needed methods: changeOwner, changeEip712updater .. In the constructors both vars can be set to msg.sender

Having owner and eip712updater diferently allows to cancel the possibility to change the eip712 helper and still update the version.

IMO, if there is an eip712 update, I would deploy a full new contract.

3. This smart contract has a huge risk that people just do a normal transferto this contract of pure ERC20 tokens thinking they were ERC223 tokens. The consequence of that is that he just burn the tokens.
   So, I would add a protection where an owner could remove any foreign tokens sent erroneously to this contract. and also this extra tokens that are there but should not be there. This last will require to add a global variable with the tokens that is supposed to have the contract. This variable will be updated every time a channel is created, toped, or settled.

4. An event for setLatestVersionAddress and setEip712HelperContract would be good.

5. I agree with Lefteris about using ENS for last version. This is much more easy and you remove the need for the owner here.

6. In

   microraiden/contracts/contracts/RaidenMicroTransferChannels.sol

   Line 64 in 81920e4

   event ChannelCreated(

   I would add _open_block_numberlike other ovents. I know it’s not stricly necessary, but standarizes the format of the events.

7. require(_challenge_period > 500)

8. require(Token(_token).totalSupply() > 0) in RaidenMicroTransferChannels constructor, to check if it is really a token.

9. Side comment: I would expect that for EIP223 the data follows the solidity convention: 4 bytes (method selector) and then the params. In this case you would not have to distinguish the function by the length of the data which is not very elegant. ( but more optimal )
   

   microraiden/contracts/contracts/RaidenMicroTransferChannels.sol

   Line 154 in 9290006

   // topUp - receiver address (20 bytes) + open_block_number (4 bytes) = 24 bytes

10. Why do you don’t use eip712 for _closing_sig ?

[loredanacirstea]

1. fixed in Remove isToken, prefix, token_address #196
2. I can confirm that the issue exists. We use the _balance parameter to actually change the state. This can be bigger than the one signed by the sender and falsely verified if the hash function is changed.

• owner account compromised: It is the owner's fault and responsibility if his account is compromised.
• owner colluding with receivers: ideally, we can solve this before the milestone 2 release.
  Worst case scenario: we make it very clear that users should not trust contracts deployed by others and to open channels with small deposits for the moment. The contract owner will be removed & the getMessageHash will be re-introduced inside the main contract as soon as EIP712 is standardized and we are sure there will be no breaking changes any time soon - a new release will be announced at that point.
• Worst worst case scenario (from my point of view) is not delivering on time.

fixed in #209 by removing owner_address and all functions that used isOwner : setLatestVersionAddress (not necessary), setEip712HelperContract, MicroRaidenEIP712Helper, included the getMessageHash logic into the main contract again (we can re-deploy after EIP712 changes).

3. We do not have an owner anymore.
   It is the user's responsibility to make sure he sends tokens to the correct receiver (in this case, he should know to not send tokens directly to a contract address) or uses contract functions appropriately.

4. agreed. not needed anymore. has been removed in Decentralise: remove owner, eip712 helper, latest address setter #209

5. agreed.

6. Our reason for not adding it: _open_block_number was initially there, we removed it to save gas, as it can be retrieved from the event block number.

7. Contract - require challenge_period >= 500 #219

8. Contract - check constructor arg is a Token address #220

9. Optimising + to have better control on what functions are called. I agree that standardizing is good though. We can rethink this for another release.

10. closing_sigis not visible at all for the user, being generated by our server code. For now, this is acceptable from my point of view. After eip712 is standardized we will use the same algorithm for it.
    My understanding is EIP712 is very good for UI trust-free signatures. So, I do not see a real technical or trust-related downside. And it is just signing another signature, without adding other data.

[loredanacirstea]

Everything here has been fixed