Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Aori 0.3.1 Upgrade>Discussion>Checks-effects-interactions pattern
GeneralOverview
Findings
Medium (2)
Informational (4)
DiscussionChecks-effects-interactions patternUnnecessary signature in depositNative
DesignComponent: Aori contract (version 0.3.1 upgrade)
Audit ResultsAssessment Results

Checks-effects-interactions pattern

Several functions in the codebase update the order status after performing external calls:

  • deposit (with and without hook)

  • fill (with and without hook)

  • cancel (from the destination chain)

Additionally, the withdraw function reduces the unlocked balance after transferring tokens.

While all functions except cancel are protected by a reentrancy guard (see Finding ref), we still recommend following the checks-effects-interactions pattern. Contract state changes, such as updating balances or order status, should be made before performing any external calls. Following this pattern increases resilience against reentrancy risks and helps ensure safety even if protections like reentrancy guards are later removed or missed.

This issue has been acknowledged by Aori, and a fix was implemented in commit 658d3cd5.

Zellic © 2025Back to top ↑