Incognito-Ethereum bridge audit

In February 2021, Incognito engaged Coinspect to perform a source code review of the smart contracts that comprise the Incognito-Ethereum bridge. The goal of the audit was to evaluate the security of the smart contracts.

The main contracts are:

• IncognitoProxy: stores beacon and bridge committee members of the Incognito Chain, and other contracts can query this contract to check if an instruction is confirmed on the Incognito Chain.

• Vault: responsible for deposits and withdrawals; it holds assets (Ether or ERC20 tokens) and emits events that the Incognito Chain interprets as minting instructions; and when presented with a burn proof created over at the Incognito Chain, it releases the assets back to the user.

We believe the audit will make Incognito users (so does the core team) feel more confident, at least in aspects of security.

The official and detailed report can be found at https://www.coinspect.com/incognito-audit/

Is the team happy with the completeness and effectiveness of the audit for the money? It’s helpful for us as the community and thank you for making recommended fixes already. I’m just curious about the process and your experience going through this audit.

I’m not that technical but great to see this released and hope that it’s helped alleviate some concerns people have had. Good to see fixes being made too.

Yes, we definitely are. Auditing by an external and competent firm usually helps.

I’m just curious about the process and your experience going through this audit

The process was quite common. After signing a contract, in the first few weeks, we communicated back and forth to define the scope of the audit as well as help Coinspect team understand the logic (and some intentions) of the smart contracts. They spent then 2-3 weeks doing the audit and gave us questions/recommendations. This is the first round.

In the second round, we’ve fixed the reported issues/recommendations for 3-4 weeks and Coinspect did another review for the fixes.

When they confirmed that the fixes were okay, we discussed a little bit about the final report (yes, the report is extremely important for not only the core devs team but community in my opinion since the users have a right to know how their money is secured).

In general, the experience with Coinspect team was great, they were really experienced, cooperative, and accountable with what they did. In the future, we will prefer to work with them for the other audits.

Thank you @duc for the completeness of the report and the dev teams’ work on the issues that were found and resolved and in addition to the fact that there are and will be further audits and reports to come in the future. Indeed the auditing and presentation of the report goes a long way in helping strengthen the trust and transparency so necessary for Incognito to survive and more so to continue to grow…once again thank you for the progress of the project in this aspect…

Really good to have this audit report. Can you further provide an action plan on the results? Can you publish the next audit date?

what does coinspect charge for such an audit? Just interested, no special thoughts

Seems like the audit went pretty well.
I’d like to ask how you’ll want to approach:
“it is also recommended to consider resigning admin access in the future to make the contracts fully autonomous, or consider options for decentralized governance.”?

Yes, resigning admin account is also our ultimate goal for the smart contract, but to be clear, admin access is not to control funds locked in the contract but to upgrade the contract feature/logic when needed (as you may see, Incognito is still under active development and improvement). Once we feel that there is no needed upgrade for the contract anymore, we will resign the admin access for sure.