Ampleforth has announced that they have completed security upgrades following an audit by Trail of Bits.
Ampleforth first underwent an audit by Chinese firm Slow Mist which showed no vulnerabilities. When Trails of Bits conducted an audit, however, some vulnerabilities were discovered and some changes were prescribed.
Ampleforth has announced that is implemented 75 percent of the changes prescribed.
The Changes Prescribed
According to Trail of Bits, four changes were recommended to Ampleforth and it has implemented three of the four recommended.
The fourth change that was prescribed was relating to Oracle services. Trail of Bits believes that that stability of Ampleforth can be tampered with by a market maker.
“A market source returns a very large value for partialRate and/or partialVolume . This causes a revert in the calculation of volumeWeightedSum and thereby prevents rebasing. Self-stabilization through rebasing will not occur until the offending market source is removed from the whitelist,” the said.
The Changes Taken
Ampleforth has shed some light as to why the fourth prescription regarding oracle services was not taken.
According to them, the changes that would have needed to have been made would have not been feasible.
“The fundamental issue is that the oracle relies on a whitelist of sources authorized to provide data — fixing an overflow with an input restriction still would not have changed this. Adding a maximum allowable value independent of the number of sources combined in the calculation would have either been arbitrary or overly limiting,” Ampleforth management said.
The team said, however, that they are considering moving to an external Oracle infrastructure.
The Need for Security
When discussing the issue, the Ampleforth team stated that they are working towards identifying vulnerabilities as early as possible so as to correct them.
Leaving them unchecked, they say, can lead to hacks that can, in turn, lead to significant losses. These can be seen in the cases of hacks regarding Coincheck and Maple Exchange in 2018 that led to millions being lost.
Ampleforth has also stated that they are aiming to be a natural bank rather than a natural resource.
“ Ampleforth is kind of more like a natural resource than a national bank. This thing is designed very simply. It’s meant to maintain a stable unit of account. The rest of it is very similar to a normal floating price token. But the key here is that we don’t want to be a central bank. We want to be a different type of natural resource,” they said.