Augur Core Audit

The Augur team asked us to review and audit their Augur Core project. We looked at the code and now publish our results.

The audited project can be found in the AugurProject/augur-core GitHub repository. The version used for this report is commit 45e1afb7eb1a895d923c97fe01e068c772c583ef.

Update: the Augur team implemented some of our recommendations and added new features, after which we performed a second audit round. The commit for the final audit is 3b5a63d372d205a0214e3061293d5bca0fd5636a.

Update 2: the Augur team implemented our additional recommendations after the second audit. The final commit containing all the fixes is7f3c79a5dd471a98df8f66a640902e063f15f796.

The full report can be found here, and a list summary of the issues ordered by severity can be found next.

Critical Severity

High Severity

Medium Severity

Low Severity

Conclusion

Thirteen critical and ten high severity issues were found, along with recommendations on how to fix them. Additionally, some medium and lower severity issues were found and explained. Some changes were proposed to follow best practices and reduce the potential attack surface.

Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Augur project. The above should not be construed as investment advice or an offering of REP tokens. For general information about smart contract security, check out our thoughts here.