Enhancing Security for Tegro DEX’s Trading platform

The Tegro Gen2 Decentralized Exchange offers efficient orderbooks, gasless quotes, and a lightning-fast matching engine capable of settling up to 500K trades per second. Features include Binance-like APIs, up to 3X gas savings, MEV resistance, and custody-less trading directly from personal wallets, all of which enhance trading efficiency and security.

A Next-Generation DEX Merging Centralized Speed with Decentralized Security

Tegro is a Gen2 DEX that merges the speed and efficiency of centralized platforms with the security and autonomy of decentralized systems, enabling high-frequency on-chain trading at scale. Revolutionizing the DeFi landscape, Tegro offers an advanced order book system with gasless quotes, rapid trade executions, robust MEV protection, and crucially, custody-less fund transfers. Enhanced by lightning-fast orders and up to a 3x reduction in gas fees, alongside API bot access akin to platforms like Binance or Coinbase, Tegro combines the performance of a CEX with the trust of a DEX. This platform caters to retail traders and is the go-to solution for traders who demand precision, speed, and security in their on-chain interactions.

Tegro DEX's Security Enhancements: Addressing Decimal Discrepancies, Compiler Stability, and Execution Timeliness

The security of Tegro DEX was thoroughly audited, revealing several areas needing enhancement to bolster both functionality and safety. One notable issue was the calculation error in the TegroDEX.sol contract's _calculateTotalPrice() function. Transactions involving tokens with different decimal places were inaccurately calculated, potentially affecting financial accuracy. To remedy this, we suggested revising the calculation to align with the quoteTokenDecimals, ensuring accuracy in transaction values. Another critical area was the use of unfixed Solidity versions, which could lead to inconsistencies and vulnerabilities when deploying contracts. By recommending the use of a specific, tested compiler version, we aimed to stabilize the deployment environment. Additionally, the lack of expiry timestamps in orders was identified, which could lead to outdated orders being executed unintentionally. Introducing an expiry timestamp feature would add a layer of security by ensuring that only current transactions are processed. These enhancements, among others, are instrumental in maintaining the integrity and reliability of Tegro DEX, making it a safer platform for users to engage in decentralized trading.

Tegro's Journey Through our Audit Process

• Information Gathering:
• The project manager began with a comprehensive review of all documentation provided by Tegro, encompassing project specifications, functional requirements, and architectural designs.
• This phase was crucial for developing a deep understanding of the intended functionalities and the overall business logic behind the Tegro contracts, setting the stage for a targeted audit approach.
• Manual Code Review:
• Post-information gathering, senior auditors conducted a line-by-line inspection of the TegroDex and TegroDEX Settlement contracts.
• This meticulous review utilized their deep expertise in smart contract security to pinpoint potential vulnerabilities, coding errors, and other susceptibilities that could be exploited.
• Functional Testing:
• Aligned with the manual review, comprehensive functional testing was executed, simulating a variety of use cases and transaction scenarios.
• The objective here was to confirm that the contracts performed as intended according to their specifications, identifying any functional discrepancies or unexpected behaviors.
• Automated Testing:
• The audit also integrated automated testing tools to supplement the manual testing efforts.
• These tools allowed for the execution of an expanded set of test cases, thereby enhancing the audit's overall efficiency and coverage. This blend of manual and automated testing ensured a thorough evaluation of the smart contracts.
• Report and Remediation:
• Upon completing the testing phases, a detailed audit report was produced, listing all identified vulnerabilities sorted by severity (medium, low, informational).
• Each identified issue was clearly described, including its potential impact and recommended steps for remediation.
• The Tegro team received a comprehensive roadmap to rectify these issues and fortify the security of their smart contracts.

QuillAudits' Strategic Approach to Tegro Security Audits

We prioritize threat modeling based on Tegro-specific risks, adopting a security-first approach to identify and mitigate vulnerabilities beyond mere functionality testing. Combining white-box and black-box tests, we conduct comprehensive vulnerability assessments. We ensure transparent and open communication with the Tegro team throughout the audit. Emphasizing clarity, we deliver actionable insights for effective issue resolution.

Comprehensive Audit Discoveries and Remediation Strategies

Audit Discoveries

During the audit of Tegro's primary contracts—TegroDex and TegroDEX Settlement—we uncovered various issues categorized by severity, including one medium severity issue, three low severity issues, and five informational severity issues. Key findings included:

• Incorrect Total Price Calculation: The _calculateTotalPrice() function in TegroDEX.sol struggled with decimal discrepancies, inaccurately computing the total price for transactions involving different token decimals.
• Unfixed Pragma Versions: The use of unfixed Solidity versions in the TegroDEXSettlement and TegroDEX contracts risked inconsistency and potential bugs during deployment.
• Missing Expiry Timestamps: Orders lacked expiry timestamps, potentially allowing outdated orders to be executed.
• Fee Calculation Loophole: A loophole in fee calculations allowed fees to be bypassed on small matched amounts due to rounding errors in Solidity.
• Unsecured Initializers: The absence of _disableInitializers() in contract constructors left a backdoor open for malicious initialization.
• Confusion with Fee-on-Transfer Tokens: Transactions involving fee-on-transfer tokens could confuse due to unanticipated deductions.

Remediation and Impact

To address the discovered issues, we recommended specific remediations that Tegro implemented, significantly bolstering the contracts' security and functionality:

• Revised Price Calculation: We adjusted the _calculateTotalPrice() function to accurately scale prices to quoteTokenDecimals, ensuring financial precision.
• Stabilized Compiler Versions: Tegro now anchors their contracts to specific, tested compiler versions to prevent discrepancies.
• Expiry Timestamp Implementation: We introduced expiry timestamps in orders, enhancing transaction security and control.
• Set Lower Limits on Fees: To close the fee bypass loophole, we suggested setting a minimum matchedAmount that would trigger fee collection.
• Secure Contract Initializers: Implementing _disableInitializers() in constructors now protects against unauthorized reinitialization.
• Clarification on Fee-on-Transfer Tokens: Guidance was provided to handle transactions with fee-on-transfer tokens more transparently, avoiding confusion.

These measures have profoundly improved Tegro's smart contract ecosystem, ensuring enhanced security, operational clarity, and trust from its users.

The Tegro project underscores the importance of security in the rapidly evolving world of blockchain technology. It highlights the value of smart contract audits in identifying and mitigating potential vulnerabilities. But most importantly, it showcases how, through successful collaboration, we can enhance security, build trust, and pave the way for a safer and more secure digital future.