Trail of Bits
Audit Open Original ↗

PixelSwap DEX

Type

Security review

Client

PixelSwap Labs Ltd

Date

2024-12

Domain

Blockchain

Effort

6 wks

Section

Other/Multi-Chain

Trail of Bits's security review of PixelSwap Labs Ltd (Dec 2024) identified 24 issues: 9 high, 2 medium, 2 low, 9 informational, and 2 undetermined.

Findings · 24

  1. 1 The BulkInternalTransfer receiver computes the wrong total amounts High
  2. 2 Granting the role to the master funding contract on a funding wallet contract will result in draining the funding wallet balance High
  3. 3 Users can inflate their funding wallet balance by sending an expired Swap message to the settlement contract High
  4. 4 SettlementVault balances are not updated in the PlaceOrder_Partial_2 receiver of the settlement contract Informational
  5. 5 Lack of validation of PixelswapStreamPool configuration parameters Informational
  6. 6 Users can drain the TON balance of the PixelswapSettlement contract High
  7. 7 Users can avoid paying the gas fee for the token creation transaction Low
  8. 8 The tokens_count initial value in the PixelswapStreamPool contract is zero Informational
  9. 9 The returned TON amount from an order execution result is ignored Informational
  10. 10 Wrong formula used for LP amount calculation High
  11. 11 Users can use nested PlaceOrders to drain the settlement contract High
  12. 12 The LP tokens are never burned by the Stream Pool contract High
  13. 13 Lack of the pair_id and token_id validation in the PixelswapStreamPool contract High
  14. 14 The value attached to messages is not checked to be positive Informational
  15. 15 The current balance is not checked before sending a message with a non-zero value High
  16. 16 The exec_id value is not validated for the internal orders in nested PlaceOrder messages Medium
  17. 17 The token_balance get function reverts if a user balance is 0 Undetermined
  18. 18 Dierent parsing formats for Jetton notification messages Medium
  19. 19 The JettonFactory contract allows minting zero tokens Informational
  20. 20 Incorrect gas calculations in several contracts Undetermined
  21. 21 A privileged account can drain the PixelswapStreamPool contract Low
  22. 22 The fee recipient accounts cannot be changed in the Stream Pool contract Informational
  23. 23 The gas checks in the PixelswapStreamPool contract are wrongly placed Informational
  24. 24 Users cannot deposit only Jetton to their funding wallet Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related