RUJI Trade (FIN) - THORChain

1. Introduction

THORChain engaged Halborn to conduct a security assessment of the Rujira Trade (FIN) contracts, beginning on January 23rd, 2025 and ending on February 7th, 2025. This security assessment was scoped to the smart contracts in the Rujira GitHub repository. Commit hashes and further details can be found in the Scope section of this report.

Rujira Trade (FIN) is a fully on-chain, decentralized orderbook DEX that combines an O(1) matching algorithm with liquidity from multiple sources, including Rujira's AMM pools (BOW) and THORChain’s Base Layer liquidity.

2. Assessment Summary

The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

• Ensure that smart contract functions operate as intended

• Identify potential security issues with the smart contracts

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were partially addressed by the Rujira team. The main ones were the following:

• Ensure sum and product parameters are correctly set after a partial distribution.

• Properly reset parameters after a pool reset.

• Remove unnecessary decimal scaling in normalized_price.

• Handle missing decimals fields in QueryPoolResponse.

• Adjust swap calculations to properly refund or account for excess offer amounts.

  
  
  

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:

• Research into architecture, purpose, and use of the platform.

• Manual code read and walk through.

• Manual Assessment of use and safety for the critical Rust variables and functions in scope to identify any arithmetic related vulnerability classes.

• Architecture related logical controls.

• Cross contract call controls.

• Scanning of Rust files for vulnerabilities(cargo audit)

• Review and improvement of integration tests.

• Verification of integration tests and implementation of new ones.