Loopring_36_Security_Audit

Background

Loopring 3.1 is the first zkRollup implementation on the Ethereum blockchain, a relayer and a DEX (Loopring.io) was launched in March 2020 and is still serving our users. Loopring 3.6 is an improved version with the same technical stack. We expect Loopring 3.6 will be the production version for the next two to three years.

Comparison between 3.1 and 3.6

We made a comparison table to outline the major differences between 3.6 and 3.1.

Scope of security audit for 3.6

Files in the following directories should be covered:

• https://github.com/Loopring/protocols/tree/protocol-36/packages/loopring_v3/circuit/

• https://github.com/Loopring/protocols/tree/protocol-36/packages/loopring_v3/contracts/iface/, except:

  • IProtocolFeeValut.sol
  • ITokenPriceProvider.sol
  • ITokenSeller.sol
  • IUserStakingPool.sol

• https://github.com/Loopring/protocols/tree/protocol-36/packages/loopring_v3/contracts/impl/, except:

  • ProtocolFeeVault.sol
  • UniswapTokenSeller.sol
  • UserStakingPool.sol
  • /price-providers

• https://github.com/Loopring/protocols/tree/protocol-36/packages/loopring_v3/contracts/lib/

• https://github.com/Loopring/protocols/tree/protocol-36/packages/loopring_v3/contracts/thirdparty/, except:

  • /chainlink/

Suggested Focus Areas

Below are a few things I feel like deserve special attentions. We’ll probably add more to this list before the audit.

• Reentrance attack
• Overflow protection against the SNARK scalar field
• Sybil attack in layer-2 account registration
• Worse case scenario analysis, for example, the operator private-key is leaked.
• The circuit code base
• Cost analysis for Deposit/Withdrawal/Trades/Transfer, low cost and high throughput are the most important metrics for zkRollup.