MoveBit Completes Security Audit for Transit Finance Aptos Aggregator Contract

After 5 working days of code review and analysis, MoveBit completed the security audit report on the Transit Finance Aptos Aggregator Contract. We are happy to share this report with the community, you can download the PDF version of the security audit report through the link below: https://www.movebit.xyz/file/Transit-Finance-Audit-Report.pdf

Here are the relevant actors with their respective abilities within the Transit Finance Smart Contract:

(1) Admin

(2) User

MoveBit aims to assess repositories for security-related issues, code quality, and compliance with specifications and best practices. Possible issues we looked for included (but are not limited to):
● Transaction-ordering dependence
● Timestamp dependence
● Integer overflow/underflow
● Number of rounding errors
● Denial of service / logical oversights
● Access control
● Centralization of power
● Business logic contradicting the specification
● Code clones, functionality duplication
● Gas usage
● Arbitrary token minting
● Unchecked CALL Return Values
● The flow of capability
● Witness Type

1. From the perspective of contract external interface functions, MoveBit audited the permissions and logic of contract external management interface functions, audited the functions that users need to call external contract interfaces, and audited the logic that all users will call external interface functions.
2. From the perspective of contract execution logic Gas, MoveBit gives optimization suggestions for some Gas consumption codes in the contract.
3. From the perspective of contract code optimization, MoveBit puts forward optimization suggestions for the function logic in the contract to ensure the simplicity of the contract code.
4. From the perspective of contract business execution logic, after multiple communications between MoveBit engineers and the Transit Finance team, the business logic and code execution logic were sorted out, and the behavior of contract execution consuming Gas was sorted out to ensure the correctness of the logic of the contract execution process and ensure There will be no problems with over-authorized use during execution

Methodology

The security team adopted the “Testing and Automated Analysis”, “Code Review” and “Formal Verification” strategy to perform a complete security test on the code in a way that is closest to the real attack. The main entrance and scope of security testing are stated in the conventions in the “Audit Objective”, and that can expand to contexts beyond the scope according to the actual testing needs. The main types of this security audit include:

(1) Testing and Automated Analysis Items to check: state consistency / failure rollback / unit testing / value overflows / parameter verification / unhandled errors / boundary checking / coding specifications.

(2) Code Review （Code Scope):

(3) Formal Verification Perform formal verification for key functions with the Move Prover.

(4) Audit Process

● Carry out relevant security tests on the testnet or the mainnet;

● If there are any questions during the audit process, communicate with the code owner in time, and they should actively cooperate (which may include the latest stable source code, relevant deployment scripts or methods, transaction signature scripts, exchange docking schemes, etc.);

● The necessary information during the audit process will be well documented for both the audit team and the code owner in time.

Conclusion:

Feedback from Ghost Chen — Member of the Transit Finance technical team:

‘ This cooperation between Transit Finance and MoveBit reflects the high professionalism of MoveBit’s technical team, and we look forward to the next cooperation.’

Transit Finance is a DeFi platform that aggregates multiple blockchains. It makes life easy for DeFi users by enabling them to move their assets effortlessly between various networks and DEXs. Powered by smart contracts, it supports users in achieving optimal returns on their investments efficiently and securely.

Its powerful API can provide real-time price quotes for swaps between arbitrary tokens on various networks. Moreover, it leverages Application Binary Interface (ABI) data to interact with smart contracts on those networks. This provides a new way for users to experience decentralized exchanges, offering better liquidity and generating a better return.

In general, Transit Finance has always implemented the concept of “providing convenience for Web3 users” in their development. The audit of the aggregator contract of Transit Finance Aptos is the starting point of the cooperation between MoveBit and Transit Finance. We look forward to the next cooperation to continuously provide a security guarantee for the transaction environment of users on Transit Finance and, we will jointly maintain the security of Web3 user assets so that The Move ecosystem has become the safest Web3 ecosystem.

About Transit Finance

Transit Finance is a cross-chain swap platform that integrates DEXs, aggregate transactions, and one-stop cross-chain. Without certification, users can complete decentralized transactions real-time and instantly swap assets across networks.

Transit Finance Social Media Platforms:

Twitter: https://twitter.com/TransitFinance
Website: https://www.transit.finance/
Telegram: https://t.me/Transit_Finance

About MoveBit

MoveBit is a security company for the Move ecosystem with a vision to make the Move ecosystem the most secure Web3 destination. The MoveBit team is composed of security leaders from academia and enterprise with 10 years of security experience. The team was one of the earliest contributors to the Move ecosystem, working with Move developers to set the standard for secure Move applications.

MoveBit Social Media Platforms:

Official Website | Twitter | Medium | GitHub | Discord