Blockchain Protocol Audit For MANTRA Chain

In November 2024, Hacken completed a comprehensive blockchain protocol audit for MANTRA Chain, meticulously scrutinizing its Cosmos SDK build and its use of the Inter-Blockchain Communication (IBC) protocol. This independent audit by Hacken’s renowned L1 Audit Team highlights MANTRA’s Security-First commitment, reinforcing its focus on security, scalability, and compliance—the key pillars for fostering trust in a blockchain ecosystem designed to support regulatory alignment.

RWAs and MANTRA

Real-World Assets (RWAs) are transforming finance by bridging traditional and decentralized systems, enabling fractional ownership of assets like real estate and fine art, which were previously accessible only to institutions. This democratization not only enhances liquidity but also fosters equitable wealth distribution.

Amid this transformation, MANTRA has emerged as a Security-First Layer-1 blockchain purpose-built for RWA tokenization. With a strong focus on compliance and scalability, MANTRA offers institutional-grade solutions for deploying and managing tokenized assets within a secure and regulatory-aligned framework. CEO John Patrick Mullin’s vision of achieving $100 billion in RWA TVL by 2026 underscores the ambition to become the go-to ledger for asset tokenization, enabling unprecedented opportunities for issuers and investors alike.

MANTRA Chain Audit Overview

The audit provided a thorough evaluation of MANTRA Chain’s codebase, architecture, and security protocols, aiming to identify vulnerabilities, assess code and documentation quality, and evaluate its overall security posture.

System Overview

The system leverages a modular framework built on the Cosmos SDK, integrating inherited and custom-developed modules to enable functionalities such as decentralized identity management, user access control, liquidity provision, and market-making.

Audit Process

The audit process included high-level code analysis, detailed line-by-line reviews of critical components, and rigorous testing, including unit validation and Proof-of-Concept (PoC) scenarios, ensuring compliance with best practices and robust security standards.

Audited Items

• Token Creation Module: Supports permissionless token creation.
• Decentralized Identity Module: Manages decentralized identifiers (DIDs) for identity verification.
• Access Control Module: Handles user privileges and access management.
• Liquidity Module: Facilitates the creation and management of liquidity pools.
• Farming Module: Implements functionalities for liquidity provider (LP) farming.
• Market Maker Module: Supports market maker registration and incentive distribution.
• Token Management Module: Manages token-related operations.
• Fee Management Module: Configures fee tokens and handles gas fee collection.

Key Findings

The audit identified a total of 16 issues, categorized by severity:

• Critical: 1
• High: 1
• Medium: 1
• Low: 5
• Observations: 8

All identified issues were addressed, with 2 resolved and 14 accepted after thorough remediations.

Finding and Fixing Vulnerabilities

Critical Issue: During the audit, a critical vulnerability was identified in one of the project’s indirect dependencies, affecting the github.com/rs/cors library. This issue, related to denial-of-service attacks via malicious preflight requests, could render RPC and REST API endpoints unavailable, disrupt client interactions, and exhaust node resources, potentially undermining the system’s reliability. Immediate remediation involved upgrading the library to its fixed version (v1.11.0) to eliminate the risk. This finding underscores the importance of diligent dependency management, as vulnerabilities in indirect libraries can propagate through the stack, leading to significant security implications.

High-Severity Issue: A high-severity vulnerability was identified in the implementation of CosmWasm within the system. Using an outdated version of CosmWasm introduced risks such as stack overflow, gas mispricing, and non-deterministic queries, which could lead to denial-of-service attacks and unpredictable behavior. Immediate action was taken to mitigate these issues by upgrading to the latest stable version of CosmWasm (v0.53.0). Regular monitoring and adherence to official CosmWasm advisories are recommended to maintain the security and integrity of the system’s smart contract functionalities.

For a detailed breakdown of the findings and technical recommendations, refer to the full audit report.

Documentation, Architecture, Code and Test Coverage

The audit found MANTRA Chain’s user-facing documentation to be well-developed, with detailed inherited resources enhancing modules like x/liquidity and x/lpfarm. The codebase adhered to Go programming best practices, maintaining high standards in critical modules, though areas of high cyclomatic complexity and deeply nested structures suggest potential for refactoring. The architecture, built on the robust Cosmos SDK, integrates mature modules adapted for MANTRA’s needs, with innovative features like DIDs and soul-bound NFTs reinforcing security in identity verification. While E2E tests effectively validate module interactions, overall unit test coverage should be improved.

Conclusions

In today’s regulatory landscape, security audits are not optional—they are essential for security and regulatory compliance. Third-party verification also builds trust among builders, traders, and institutions.

Recent data reveal that 90% of hacked projects have never undergone an audit. Against this backdrop, we applaud MANTRA for backing its Security-First positioning with decisive action. An independent code review by an expert auditor like Hacken is often the defining factor between securing a platform and falling victim to an exploit, of which there are too many in Web3. This is especially critical in the high-stakes environment of Real-World Assets, where MANTRA envisions billions of dollars tokenized on its platform.