Security is a top priority for Native. Native was built and designed following all of the industry’s best practices. Native’s contracts have been verified on Etherscan and BscScan.
During the audit, Omniscia, filtered and validated a total of 12 findings utilizing static analysis tools as well as identified a total of 59 findings during the manual review of the codebase.
Based on the findings, the Native team alleviated and/or nullified all the issues raised by the Omniscia team.
FullMathlibrary present in the codebase does not conform to the audited Uniswap V3 implementation as it has been upgraded to a
All function code of the
FullMathimplementation has been wrapped in
uncheckedcode blocks, ensuring that they are performed identically to the original Uniswap V3 implementation.
The contract is meant to make use of the
Pausabledependency to protect the
removePoolCreatorfunctions, the modifiers are ineffectual as the contract can never be paused.
Pausablemethods are now exposed using homonym functions (
unpause) protected with the
exactOutputmechanism is unsafe and inoperable in production due to the significant gas cost as well as stack space it utilizes, causing it to frequently run out of memory (OOM), out of gas (OOG), and / or out of stack space (OOS). Additionally, if a pool is entered twice as part of a multi-order swap the transaction will fail as each pool has a
nonReentrantprotection mechanism in its
exactOutputfunctions have been commented out of the codebase rendering this exhibit no longer applicable.
The referenced statements perform an unsafe casting operation from a
uint256data type to an
int256data type. As the casting overflow will benefit the user due to its presence in the
executeSwapToTreasuryfunction, a carefully crafted order payload can be exploited to extract a set of funds from the treasury whilst transmitting close to none.
The limitations on the input variables have been properly applied.
exactOutputSinglewill misbehave if it is invoked with a
params.ordersargument that contains more than one orders. If a user invokes the wrong function, they will end up evaluating an incorrect slippage value for the
amountInMaximumcomparison thus causing them to incur slippage they cannot protect against.
exactOutputSinglefunction has been commented out of the codebase as highlighted in RRE-04M: Inoperable Output Swap Mechanism; this exhibit is nullified.