Incognito-Ethereum bridge audit

In February 2021, Incognito engaged Coinspect to perform a source code review of the smart contracts that comprise the Incognito-Ethereum bridge. The goal of the audit was to evaluate the security of the smart contracts.

The main contracts are:

  • IncognitoProxy: stores beacon and bridge committee members of the Incognito Chain, and other contracts can query this contract to check if an instruction is confirmed on the Incognito Chain.

  • Vault: responsible for deposits and withdrawals; it holds assets (Ether or ERC20 tokens) and emits events that the Incognito Chain interprets as minting instructions; and when presented with a burn proof created over at the Incognito Chain, it releases the assets back to the user.

We believe the audit will make Incognito users (so does the core team) feel more confident, at least in aspects of security.

The official and detailed report can be found at https://www.coinspect.com/incognito-audit/

18 Likes

Is the team happy with the completeness and effectiveness of the audit for the money? It’s helpful for us as the community and thank you for making recommended fixes already. I’m just curious about the process and your experience going through this audit.

2 Likes

I’m not that technical but great to see this released and hope that it’s helped alleviate some concerns people have had. Good to see fixes being made too.

1 Like

Yes, we definitely are. Auditing by an external and competent firm usually helps.

I’m just curious about the process and your experience going through this audit

The process was quite common. After signing a contract, in the first few weeks, we communicated back and forth to define the scope of the audit as well as help Coinspect team understand the logic (and some intentions) of the smart contracts. They spent then 2-3 weeks doing the audit and gave us questions/recommendations. This is the first round.

In the second round, we’ve fixed the reported issues/recommendations for 3-4 weeks and Coinspect did another review for the fixes.

When they confirmed that the fixes were okay, we discussed a little bit about the final report (yes, the report is extremely important for not only the core devs team but community in my opinion since the users have a right to know how their money is secured).

In general, the experience with Coinspect team was great, they were really experienced, cooperative, and accountable with what they did. In the future, we will prefer to work with them for the other audits.

8 Likes

Thank you @duc for the completeness of the report and the dev teams’ work on the issues that were found and resolved and in addition to the fact that there are and will be further audits and reports to come in the future. Indeed the auditing and presentation of the report goes a long way in helping strengthen the trust and transparency so necessary for Incognito to survive and more so to continue to grow…once again thank you for the progress of the project in this aspect… :sunglasses:

5 Likes

Really good to have this audit report. Can you further provide an action plan on the results? Can you publish the next audit date?