From 20311eb98356428585d858584c3ba9c7166f3677 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 18 Dec 2024 20:13:40 -0800 Subject: [PATCH 01/22] Create Sui Report.md --- src/chains/sui/Sui Report.md | 97 ++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 src/chains/sui/Sui Report.md diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md new file mode 100644 index 0000000..08be70d --- /dev/null +++ b/src/chains/sui/Sui Report.md @@ -0,0 +1,97 @@ +# Report on Sui Blockchain + +## Project Overview +- **Chain Name**: Sui +- **Proposal Reviewed**: [Insert Proposal Details] +- **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. +- **Points of Contact**: [Insert relevant channels and individuals for communication.] + +--- + +## Section 1: Assessment Methodology + +### 1.1 Integration Overview + +Sui’s integration with Axelar aims to enable seamless cross-chain transactions and interoperability by leveraging Axelar's General Message Passing (GMP) and security infrastructure. This integration provides Sui developers access to broader liquidity pools, decentralized applications (dApps), and enhanced functionality across interconnected blockchain networks. Sui’s unique Move-based programming model and high throughput architecture make it a promising candidate for cross-chain innovation. + +### 1.2 Evaluation Approach + +The Committee’s assessment methodology included the following: + +- **Research and Documentation Review**: A detailed review of technical documentation, Sui’s GitHub repositories, whitepapers, and Sui Improvement Proposals (SIPs) to understand the network’s capabilities and integration requirements. +- **Security Audits and Testing**: Examination of Sui's codebase, previously conducted audits, and tests for vulnerabilities. This included reviewing best practices for Move-based smart contracts. +- **Collaboration with the Sui Team**: Ongoing discussions with the Sui development team to understand their infrastructure, upgrade plans, incident response protocols, and readiness for cross-chain integrations. + +### 1.3 Assessment Framework + +The assessment framework focused on the following key areas: + +- **Protocol Integrity**: Evaluating Sui’s consensus mechanism (Narwhal and Tusk), validator decentralization, and the scalability of its DAG-based architecture. +- **Security Risks**: Identifying vulnerabilities within Sui’s Move VM, bridge components, and network infrastructure. +- **Operational Risks**: Assessing challenges developers might face when integrating with Sui, such as stability, untested features, or constraints in the Move language. +- **Compliance and Governance Risks**: Reviewing Sui’s governance model, community involvement, and regulatory considerations. +- **Code Quality and Transparency**: Analysis of the codebase, audit results, and adherence to development best practices. +- **Integration Plan**: Reviewing deployment and maintenance strategies for the Axelar-Sui integration, including monitoring systems and threat detection mechanisms. + +### 1.4 Assessment Criteria + +The desirable properties related to Sui’s architecture and its integration with Axelar included: + +- **Security**: How Sui’s consensus and Move-based contracts safeguard against exploits. +- **Scalability and Performance**: Sui’s ability to handle high transaction throughput with low latency. +- **Decentralization**: The extent of validator distribution and its impact on the network’s security. +- **Governance**: The mechanisms for protocol upgrades, decision-making, and dispute resolution. +- **Fault Tolerance**: Sui’s ability to recover from network halts or failures without impacting system integrity. +- **Transparency**: Open-source availability of the codebase, audit reports, and developer documentation. + + +--- + +## Section 2: Network and Protocol Integrity [Common Prefix, Eiger, NodeMonster] +### 2.1 Network Architecture +- Assessment of Sui's architecture, consensus mechanism, and staking requirements. +- Assessment of the Sui team, governance structure, and decentralization status. + +### 2.2 Governance and Compliance +- Assessment of Sui's governance framework, key decision-making processes, and regulatory considerations. + +--- + +## Section 3: Security and Risks [Common Prefix, Eiger, NodeMonster] +### 3.1 Smart Contract Security and Vulnerabilities +- Assessment of Sui's programming language, smart contract features, and security measures. + +### 3.2 Risks and Concerns +- Key risks for developers and users in cross-chain interactions, mitigation strategies. + +--- + +## Section 4: Axelar Integration Components [Ackee] +### 4.1 Code Quality and Transparency +- Audit summaries and findings relevant to the Sui integration. + +### 4.2 Understanding of Deployment and Maintenance Plans +- Plans for secure deployment and ongoing maintenance of Sui-related components. + +### 4.3 Mitigation of Potential Risks +- Risk management strategies specific to the Sui integration. + +--- + +## Conclusion [Common Prefix, Eiger, NodeMonster, Ackee] +- Summary of findings and recommendations for the integration. + +--- + +## Next Steps [Common Prefix, Eiger, NodeMonster, Ackee] +- Outline of actions required for completion. + +--- + +## Committee Members +- List of team members and their roles in the assessment. +- ### Committee Members +- **Axelar**: +- **Node.Monster**: +- **Common Prefix**: +- **Ackee**: From 54217b8c3ee49cdb2fad23b5afe0f974e32b67af Mon Sep 17 00:00:00 2001 From: Eyal Alsheich Date: Mon, 6 Jan 2025 22:47:26 +0200 Subject: [PATCH 02/22] Section 2 and 3 (Node.Monster) (#14) --- src/chains/sui/Sui Report.md | 46 ++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 08be70d..9add162 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -49,20 +49,56 @@ The desirable properties related to Sui’s architecture and its integration wit ## Section 2: Network and Protocol Integrity [Common Prefix, Eiger, NodeMonster] ### 2.1 Network Architecture -- Assessment of Sui's architecture, consensus mechanism, and staking requirements. -- Assessment of the Sui team, governance structure, and decentralization status. +Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience. + +Key Architectural Features: +- **Object-Based Accounting Model:** Combines features of UTXO and account-based models to enable granular state management, making it particularly suitable for complex dApps. +- **Consensus:** The Sui Network uses a Narwhal and Tusk consensus mechanism, which combines DAG-based mempool design (Narwhal) with a Byzantine Fault Tolerant (BFT) consensus algorithm (Tusk). Validators individually validate transactions and generate certificates of finality, optimizing for throughput and latency. +- **Sponsored Transactions:** Unique mechanism allowing third parties to pay transaction fees, promoting accessibility. +All computation fees and reward subsidies earned by a validator, minus its chosen commission rate, are shared with delegators. The validator receives the tokens charged as commission and a percentage of the rewards after removing the commission. This percentage equals the ratio of self-staked SUI against the total SUI staked to the validator. The second part of a validator’s rewards is sourced from the Storage Fund, which is funded by the storage fees involved in each transaction. Today’s validators process transactions occurring today and create data. If new validators join tomorrow, they will have to store data they were not rewarded to create. Storage fees included in each transaction fee are sent to the fund, which is used to reward tomorrow's validators with the storage fees paid today. Of note, the tokens held in the Storage Fund accrue rewards from its proportionate amount of the total staked supply. + +Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approx. 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (inc. Mysten Labs) are operating approx 22% of the total staked assets. + ### 2.2 Governance and Compliance -- Assessment of Sui's governance framework, key decision-making processes, and regulatory considerations. +Sui’s governance framework is currently centralized, with decisions predominantly directed by the Sui Foundation and Mysten Labs. The network lacks an active decentralized governance model as of December 2024. However, plans to integrate governance through staked SUI tokens have been proposed, where voting power would correspond to combined self-staked and delegated tokens, capped at 10% per validator to prevent centralization. +Key Governance Insights: +- Community proposals follow the SIP (Sui Improvement Proposal) process. While the community can signal support, the project team makes the final decisions. +- Regulatory considerations are actively managed by Mysten Labs, which maintains compliance with U.S. legal frameworks. +- The absence of a robust, decentralized governance mechanism may limit community-driven innovation but ensures streamlined decision-making during the network’s early stages. +Sui was founded in 2021 by Evan Cheng, Adeniyi Abiodun, Sam Blackshear, George Danezis, and Kostas Chalkias to continue the work performed while employed by Meta. In June 2019, Facebook, which later rebranded to Meta, announced its plans to build a permissioned blockchain and a digital wallet that would underlie a global payment network. Meta spearheaded an independent consortium called the Diem Association (originally the Libra Association) that was responsible for building the blockchain. Meta’s subsidiary Novi Finance (originally Calibra) was responsible for developing the digital wallet. Neither product was successful. The Diem Association shut down due to regulatory hurdles and sold all its assets in January 2022. Meta ended the Novi project later that year due to calls from the United States Senate. Two separate blockchains emerged from the initial Diem and Novi research: Aptos and Sui. Mysten Labs, Inc., one of the centralized entities supporting Sui, was formed to build something new from research conducted during the Diem Association’s life. + --- ## Section 3: Security and Risks [Common Prefix, Eiger, NodeMonster] ### 3.1 Smart Contract Security and Vulnerabilities -- Assessment of Sui's programming language, smart contract features, and security measures. +Sui’s smart contracts are written in Sui Move, a Rust-based programming language derived from the Move language developed at Meta. This language offers enhanced safety features, including: +- **Type Safety:** Reduces vulnerabilities by ensuring strict data type adherence. +- **Resource-Oriented Programming:** Prevents double-spending and unauthorized state changes by enforcing ownership and access rules. +- **Formal Verification:** Facilitates rigorous testing and validation of smart contracts to minimize bugs. +Testing and debugging mechanisms for Sui’s smart contracts include modular code organization, ownership rules, and structured data flow that allow developers to easily test and debug contracts. Developers are encouraged to employ local testing environments, implement explicit error-handling mechanisms, and regularly verify contracts using Move Prover. Recent updates to development tools also enhance debugging processes and streamline integration with Sui's broader ecosystem. + +However, historical incidents highlight the need for continuous vigilance: +- **November 17, 2023:** An unspecified vulnerability was discovered and promptly patched across the mainnet, testnet, and devnet. While the issue did not escalate, it underscores the importance of proactive community engagement in identifying flaws. +- **September 3, 2023:** A denial-of-service (DoS) vulnerability in Sui’s P2P protocol was reported by Beosin Alert. The vulnerability, which could deplete memory and crash nodes, was resolved in version 1.6.3. +- **May 16, 2023:** A critical "billion-dollar bug" was identified during an audit by Xellic. The issue, which had the potential to cause significant disruptions, was patched effectively. +- **July 6, 2024:** Public RPC nodes were crashed when attempting to submit a transaction. +- **November 12, 2024:** Sui testnet validators don't accept new user transactions. The issue has been resolved. +- **November 21, 2024 Mainnet Outage:** A major outage occurred due to a critical bug in the consensus mechanism, an unexpected issue in the transaction validation pipeline caused intermittent disruptions, and led to a halt in transaction processing for over 24 hours. The problem was [traced to an edge case](https://blog.sui.io/sui-mainnet-outage-resolution/) in transaction ordering and was resolved in version 1.8.2 of the protocol, but it exposed vulnerabilities in handling high-throughput scenarios. The incident also highlighted the need for improved disaster recovery mechanisms and validator coordination. +SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn,Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. Its worth noting that no further audits were made from April 2023. ### 3.2 Risks and Concerns -- Key risks for developers and users in cross-chain interactions, mitigation strategies. +Recent incidents have also highlighted systemic risks. The November 2024 mainnet outage, caused by a critical bug in the consensus mechanism, disrupted transaction processing for over 24 hours. This incident exposed vulnerabilities in transaction ordering and underscored the need for robust disaster recovery mechanisms and better validator coordination. In addition, the lack of audits since April 2023 leaves the network vulnerable to undiscovered security flaws. + +Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Narwhal and Tusk consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation. + +Sui has introduced significant upgrades, such as version 1.9.0, aimed at improving performance and enhancing fault tolerance. However, these updates often bring added complexity, which, if not thoroughly tested, could introduce new vulnerabilities. Notably, recent findings by security firms have identified edge cases in Sui's transaction validation pipeline that require further mitigation efforts. +Finally, while the Narwhal and Tusk mechanisms provide high throughput and resilience, their reliance on validator coordination in high-load scenarios remains a critical area of focus. Ensuring decentralized participation and seamless fallback mechanisms will be essential to maintaining trust and security across the network. + +Mitigation strategies include expanding the bug bounty program to incentivize community-driven vulnerability identification, enhancing decentralization by encouraging broader validator participation, and conducting periodic audits to ensure security and protocol integrity. Proactive measures such as threat monitoring, disaster recovery planning, and regular protocol upgrades aim to address these risks and foster long-term resilience. + +Despite its challenges, Sui’s commitment to innovation and proactive security measures positions it as a strong player in the blockchain ecosystem. By addressing these concerns and continuing to prioritize security, Sui can maintain trust and support its growing user base. --- From e996fe39f77ad20767c4b8ad15d70840cc041c7b Mon Sep 17 00:00:00 2001 From: Ackee Blockchain <108264505+abchauditor@users.noreply.github.com> Date: Mon, 6 Jan 2025 21:47:49 +0100 Subject: [PATCH 03/22] add section 4 (#15) Co-authored-by: stepansonsky --- src/chains/sui/Sui Report.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 9add162..6c72b36 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -104,13 +104,22 @@ Despite its challenges, Sui’s commitment to innovation and proactive security ## Section 4: Axelar Integration Components [Ackee] ### 4.1 Code Quality and Transparency -- Audit summaries and findings relevant to the Sui integration. +Axelar was responsible for developing the Sui external contracts. [Axelar GCP Sui](https://github.com/axelarnetwork/axelar-cgp-sui) is Axelar Cross-chain Gateway Protocol implementation developed in [Move](https://sui.io/move) programming language. The codebase was audited by Ottersec [6/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-06%20Ottersec.pdf) and [11/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ottersec%20-%20Sui.pdf). [Ackee](https://ackee.xyz/) performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the 11/24 audit. + +Summary of findings from Sui CGP audits (Reported-Fixed-Acknowledged): + +| Company | Critical | High | Medium | Low | Info | +|--------------------|----------|-------|--------|-------|-------| +| **Ottersec 6/24** | | | 1-1-0 | 3-3-0 | 3-3-0 | +| **Ottersec 11/24** | | 1-1-0 | 1-1-0 | 4-4-0 | 4-3-1 | + +No audit report for [Sui Amplifier](https://github.com/axelarnetwork/axelar-amplifier/tree/main/ampd/src/sui) code was provided. ### 4.2 Understanding of Deployment and Maintenance Plans -- Plans for secure deployment and ongoing maintenance of Sui-related components. +Deployment scripts for Sui Axelar components are provided, and the process is well documented in the [Axelar repository](https://github.com/axelarnetwork/axelar-contract-deployments/tree/main/sui#sui-deployment-scripts). The code is well-structured, and [Ackee](https://ackee.xyz/) did not identify any best practices violations in the development scripts. ### 4.3 Mitigation of Potential Risks -- Risk management strategies specific to the Sui integration. +Sui and Axelar confirm that the system includes proper logging and mechanisms to resolve unusual situations in the network to avoid further damage to the network and users' funds. Sui performs continuous security monitoring and a proactive approach to vulnerability management. --- From 0d13216bf1f79985ccd5e0dcc681009f5594ef84 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:50:12 -0800 Subject: [PATCH 04/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 6c72b36..0b0a21f 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -2,7 +2,7 @@ ## Project Overview - **Chain Name**: Sui -- **Proposal Reviewed**: [Insert Proposal Details] +- **Proposal Reviewed**: src/chains/sui/Sui Integration Proposal.md - **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. - **Points of Contact**: [Insert relevant channels and individuals for communication.] From 4307e77fb07407adf99042d5857c51fcb8ed8a2a Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:50:53 -0800 Subject: [PATCH 05/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 0b0a21f..c142780 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -2,7 +2,7 @@ ## Project Overview - **Chain Name**: Sui -- **Proposal Reviewed**: src/chains/sui/Sui Integration Proposal.md +- **Proposal Reviewed**: [Sui Integration Proposal](src/chains/sui/Sui Integration Proposal.md) - **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. - **Points of Contact**: [Insert relevant channels and individuals for communication.] From e8cc040a006084baa879d9496693cfb4125482be Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:59:26 -0800 Subject: [PATCH 06/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index c142780..b47a9a4 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -2,7 +2,7 @@ ## Project Overview - **Chain Name**: Sui -- **Proposal Reviewed**: [Sui Integration Proposal](src/chains/sui/Sui Integration Proposal.md) +- **Proposal Reviewed**: [Sui Integration Proposal] - **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. - **Points of Contact**: [Insert relevant channels and individuals for communication.] @@ -124,7 +124,11 @@ Sui and Axelar confirm that the system includes proper logging and mechanisms to --- ## Conclusion [Common Prefix, Eiger, NodeMonster, Ackee] -- Summary of findings and recommendations for the integration. +The Sui integration with Axelar Network presents a significant opportunity to expand interoperability and enable seamless cross-chain transactions for developers. The evaluation highlights Sui’s strengths, including its innovative Move-based programming model, object-based accounting system, and high transaction throughput enabled by Narwhal and Tusk consensus. Axelar’s integration components demonstrate strong adherence to best practices, with thorough audits and well-documented deployment plans. + +Despite these strengths, the assessment identified critical areas for improvement. Sui’s centralized governance, recent mainnet outage, and limited audits since 2023 raise concerns about network resilience and community engagement. Historical vulnerabilities, including denial-of-service (DoS) and transaction validation bugs, emphasize the need for robust security mechanisms. The complexity of Sui’s architecture and reliance on validator coordination in high-load scenarios necessitate enhanced fault tolerance and operational readiness. + +The integration offers Sui developers access to broader liquidity pools and interoperable dApps, fostering innovation across the ecosystem. To realize these benefits, addressing security risks, decentralization challenges, and governance gaps will be critical. By implementing proactive measures such as expanded audits, improved disaster recovery plans, and decentralized decision-making, Sui can solidify its position as a secure and scalable blockchain within the Axelar Network ecosystem. --- @@ -136,7 +140,8 @@ Sui and Axelar confirm that the system includes proper logging and mechanisms to ## Committee Members - List of team members and their roles in the assessment. - ### Committee Members -- **Axelar**: -- **Node.Monster**: -- **Common Prefix**: -- **Ackee**: +- **Axelar**: Liana Spano, Coordinator +- **Node.Monster**: Eyal Alsheich, Contributor +- **Common Prefix**: Nikolaos Kamarinakis, Contributor +- **Ackee**: Stepan Sonsky, Contributor +- **Eiger**: Marcin From 2786bbb99e25a6a25c6a6b1541ea15a023c2484b Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Mon, 6 Jan 2025 13:02:31 -0800 Subject: [PATCH 07/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index b47a9a4..f13fcf6 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -4,7 +4,6 @@ - **Chain Name**: Sui - **Proposal Reviewed**: [Sui Integration Proposal] - **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. -- **Points of Contact**: [Insert relevant channels and individuals for communication.] --- From fb941fa3ff25e36a101a2bb7e7dcafd3fb17ea2c Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Mon, 6 Jan 2025 13:03:11 -0800 Subject: [PATCH 08/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index f13fcf6..b1b6e28 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -143,4 +143,4 @@ The integration offers Sui developers access to broader liquidity pools and inte - **Node.Monster**: Eyal Alsheich, Contributor - **Common Prefix**: Nikolaos Kamarinakis, Contributor - **Ackee**: Stepan Sonsky, Contributor -- **Eiger**: Marcin +- **Eiger**: Marcin, Contributor From c84636445e7573cfab6478c3f3095b3ff99b7f84 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Fri, 10 Jan 2025 13:57:32 -0800 Subject: [PATCH 09/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index b1b6e28..8d7bafa 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -2,8 +2,15 @@ ## Project Overview - **Chain Name**: Sui -- **Proposal Reviewed**: [Sui Integration Proposal] -- **Sui Integration Proposal**: Overview of objectives for integrating Sui with Axelar Network. +- **Proposal Reviewed**: [Sui Integration Proposal](Sui%20Integration%20Proposal.md) + +### Table of Contents + #### [Section 1: Assessment Methodology](#section-1-assessment-methodology-1) + #### [Section 2: Network and Protocol Integrity](#section-2-network-and-protocol-integrity-1) + #### [Section 3: Security and Risks](#section-3-security-and-risks-1) + #### [Section 4: Axelar Integration Components](#section-4-axelar-integration-components-1) + #### [Conclusion](#conclusion-1) +--- --- @@ -46,7 +53,7 @@ The desirable properties related to Sui’s architecture and its integration wit --- -## Section 2: Network and Protocol Integrity [Common Prefix, Eiger, NodeMonster] +## Section 2: Network and Protocol Integrity ### 2.1 Network Architecture Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience. @@ -70,7 +77,7 @@ Sui was founded in 2021 by Evan Cheng, Adeniyi Abiodun, Sam Blackshear, George D --- -## Section 3: Security and Risks [Common Prefix, Eiger, NodeMonster] +## Section 3: Security and Risks ### 3.1 Smart Contract Security and Vulnerabilities Sui’s smart contracts are written in Sui Move, a Rust-based programming language derived from the Move language developed at Meta. This language offers enhanced safety features, including: - **Type Safety:** Reduces vulnerabilities by ensuring strict data type adherence. @@ -101,7 +108,7 @@ Despite its challenges, Sui’s commitment to innovation and proactive security --- -## Section 4: Axelar Integration Components [Ackee] +## Section 4: Axelar Integration Components ### 4.1 Code Quality and Transparency Axelar was responsible for developing the Sui external contracts. [Axelar GCP Sui](https://github.com/axelarnetwork/axelar-cgp-sui) is Axelar Cross-chain Gateway Protocol implementation developed in [Move](https://sui.io/move) programming language. The codebase was audited by Ottersec [6/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-06%20Ottersec.pdf) and [11/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ottersec%20-%20Sui.pdf). [Ackee](https://ackee.xyz/) performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the 11/24 audit. @@ -122,7 +129,7 @@ Sui and Axelar confirm that the system includes proper logging and mechanisms to --- -## Conclusion [Common Prefix, Eiger, NodeMonster, Ackee] +## Conclusion The Sui integration with Axelar Network presents a significant opportunity to expand interoperability and enable seamless cross-chain transactions for developers. The evaluation highlights Sui’s strengths, including its innovative Move-based programming model, object-based accounting system, and high transaction throughput enabled by Narwhal and Tusk consensus. Axelar’s integration components demonstrate strong adherence to best practices, with thorough audits and well-documented deployment plans. Despite these strengths, the assessment identified critical areas for improvement. Sui’s centralized governance, recent mainnet outage, and limited audits since 2023 raise concerns about network resilience and community engagement. Historical vulnerabilities, including denial-of-service (DoS) and transaction validation bugs, emphasize the need for robust security mechanisms. The complexity of Sui’s architecture and reliance on validator coordination in high-load scenarios necessitate enhanced fault tolerance and operational readiness. @@ -131,14 +138,14 @@ The integration offers Sui developers access to broader liquidity pools and inte --- -## Next Steps [Common Prefix, Eiger, NodeMonster, Ackee] -- Outline of actions required for completion. +## Next Steps +To ensure the successful integration of Sui with Axelar Network and long-term operational resilience, the following actions are recommended: + +Focus on maintaining integration stability and performance through continuous monitoring and proactive issue detection. Node Monster will spin up a globally distributed Sui validator to enhance network redundancy and decentralization, verifying the final implementation status with the Axelar Foundation. Additionally, the development team should design and implement a proactive outage management plan, including on-chain smart contract protections, to address potential network disruptions on Sui. --- ## Committee Members -- List of team members and their roles in the assessment. -- ### Committee Members - **Axelar**: Liana Spano, Coordinator - **Node.Monster**: Eyal Alsheich, Contributor - **Common Prefix**: Nikolaos Kamarinakis, Contributor From e8613c73d734e311bd40ae7d24f5b2a6c7b0418a Mon Sep 17 00:00:00 2001 From: Nikolaos Kamarinakis Date: Sat, 11 Jan 2025 10:29:16 -0500 Subject: [PATCH 10/22] Fix consensus description in section 2 --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 8d7bafa..52812e3 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -59,7 +59,7 @@ Sui is a Layer 1 blockchain that supports scalable, high-performance decentraliz Key Architectural Features: - **Object-Based Accounting Model:** Combines features of UTXO and account-based models to enable granular state management, making it particularly suitable for complex dApps. -- **Consensus:** The Sui Network uses a Narwhal and Tusk consensus mechanism, which combines DAG-based mempool design (Narwhal) with a Byzantine Fault Tolerant (BFT) consensus algorithm (Tusk). Validators individually validate transactions and generate certificates of finality, optimizing for throughput and latency. +- **Consensus:** The Sui Network relies on the Mysticeti DAG-based consensus algorithm, which improves upon Narwhal-Tusk. Mysticeti has been formalized in the form of [an academic research paper](https://arxiv.org/pdf/2310.14821) published on arXiv, with rigorous proofs of safety and liveness. Notably, Mysticeti achieves the optimal consensus latency of three network round trips, resulting in a ~4x latency reduction to Sui mainnet. Rather than relying on a single leader to propose a block, Mysticeti supports multiple validators proposing blocks in parallel, making use of the full bandwidth of the network. Moreover, validators who attempt to censor valid transactions are accountable. - **Sponsored Transactions:** Unique mechanism allowing third parties to pay transaction fees, promoting accessibility. All computation fees and reward subsidies earned by a validator, minus its chosen commission rate, are shared with delegators. The validator receives the tokens charged as commission and a percentage of the rewards after removing the commission. This percentage equals the ratio of self-staked SUI against the total SUI staked to the validator. The second part of a validator’s rewards is sourced from the Storage Fund, which is funded by the storage fees involved in each transaction. Today’s validators process transactions occurring today and create data. If new validators join tomorrow, they will have to store data they were not rewarded to create. Storage fees included in each transaction fee are sent to the fund, which is used to reward tomorrow's validators with the storage fees paid today. Of note, the tokens held in the Storage Fund accrue rewards from its proportionate amount of the total staked supply. From 044b49bf5a7af191a760a5ca43b699985e90438d Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:06:00 -0800 Subject: [PATCH 11/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 52812e3..97a0ef6 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -3,6 +3,7 @@ ## Project Overview - **Chain Name**: Sui - **Proposal Reviewed**: [Sui Integration Proposal](Sui%20Integration%20Proposal.md) +- **Source Code**: [https://github.com/axelarnetwork/axelar-cgp-sui](https://github.com/axelarnetwork/axelar-cgp-sui) ### Table of Contents #### [Section 1: Assessment Methodology](#section-1-assessment-methodology-1) @@ -110,7 +111,10 @@ Despite its challenges, Sui’s commitment to innovation and proactive security ## Section 4: Axelar Integration Components ### 4.1 Code Quality and Transparency -Axelar was responsible for developing the Sui external contracts. [Axelar GCP Sui](https://github.com/axelarnetwork/axelar-cgp-sui) is Axelar Cross-chain Gateway Protocol implementation developed in [Move](https://sui.io/move) programming language. The codebase was audited by Ottersec [6/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-06%20Ottersec.pdf) and [11/24](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ottersec%20-%20Sui.pdf). [Ackee](https://ackee.xyz/) performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the 11/24 audit. +Axelar was responsible for developing the Sui external contracts. [Axelar GCP Sui](https://github.com/axelarnetwork/axelar-cgp-sui) is Axelar Cross-chain Gateway Protocol implementation developed in [Move](https://sui.io/move) programming language. The codebase underwent the following audits: +- Ottersec [6/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-06%20Ottersec.pdf) +- Ottersec [11/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ottersec%20-%20Sui.pdf) +- Ackee [11/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ackee%20Blockchain.pdf) performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the Ottersec 11/24 audit. Summary of findings from Sui CGP audits (Reported-Fixed-Acknowledged): From cf661f2f12e20ddb372ef3dbabc5cf8be8ef9205 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Tue, 21 Jan 2025 19:11:20 -0800 Subject: [PATCH 12/22] Update Sui Report.md --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 97a0ef6..1abe9e9 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -114,7 +114,7 @@ Despite its challenges, Sui’s commitment to innovation and proactive security Axelar was responsible for developing the Sui external contracts. [Axelar GCP Sui](https://github.com/axelarnetwork/axelar-cgp-sui) is Axelar Cross-chain Gateway Protocol implementation developed in [Move](https://sui.io/move) programming language. The codebase underwent the following audits: - Ottersec [6/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-06%20Ottersec.pdf) - Ottersec [11/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ottersec%20-%20Sui.pdf) -- Ackee [11/24/2024](https://github.com/axelarnetwork/audits/blob/main/audits/2024-11%20Ackee%20Blockchain.pdf) performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the Ottersec 11/24 audit. +- Ackee performed a cross-check of audit reports and confirmed that all reported findings were remediated except one informational finding (OS-AXN-SUG-00) from the Ottersec 11/24 audit. Summary of findings from Sui CGP audits (Reported-Fixed-Acknowledged): From db3de054c2054fa29e8ad18a0e4300a99b92e826 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Tue, 21 Jan 2025 19:12:40 -0800 Subject: [PATCH 13/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 1abe9e9..a335f83 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -93,7 +93,7 @@ However, historical incidents highlight the need for continuous vigilance: - **July 6, 2024:** Public RPC nodes were crashed when attempting to submit a transaction. - **November 12, 2024:** Sui testnet validators don't accept new user transactions. The issue has been resolved. - **November 21, 2024 Mainnet Outage:** A major outage occurred due to a critical bug in the consensus mechanism, an unexpected issue in the transaction validation pipeline caused intermittent disruptions, and led to a halt in transaction processing for over 24 hours. The problem was [traced to an edge case](https://blog.sui.io/sui-mainnet-outage-resolution/) in transaction ordering and was resolved in version 1.8.2 of the protocol, but it exposed vulnerabilities in handling high-throughput scenarios. The incident also highlighted the need for improved disaster recovery mechanisms and validator coordination. -SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn,Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. Its worth noting that no further audits were made from April 2023. +SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn, Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. It is worth noting that no further audits have been conducted since April 2023. ### 3.2 Risks and Concerns Recent incidents have also highlighted systemic risks. The November 2024 mainnet outage, caused by a critical bug in the consensus mechanism, disrupted transaction processing for over 24 hours. This incident exposed vulnerabilities in transaction ordering and underscored the need for robust disaster recovery mechanisms and better validator coordination. In addition, the lack of audits since April 2023 leaves the network vulnerable to undiscovered security flaws. From 5c4e01c2af1c72dbc3b0a81b651f9f8a4f285b64 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Tue, 21 Jan 2025 19:12:54 -0800 Subject: [PATCH 14/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index a335f83..26dc691 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -33,7 +33,7 @@ The Committee’s assessment methodology included the following: The assessment framework focused on the following key areas: -- **Protocol Integrity**: Evaluating Sui’s consensus mechanism (Narwhal and Tusk), validator decentralization, and the scalability of its DAG-based architecture. +- **Protocol Integrity**: Evaluating Sui’s consensus mechanism ([Mysticeti](https://arxiv.org/pdf/2310.14821)), validator decentralization, and the scalability of its DAG-based architecture. - **Security Risks**: Identifying vulnerabilities within Sui’s Move VM, bridge components, and network infrastructure. - **Operational Risks**: Assessing challenges developers might face when integrating with Sui, such as stability, untested features, or constraints in the Move language. - **Compliance and Governance Risks**: Reviewing Sui’s governance model, community involvement, and regulatory considerations. From 93d5278d92a9165cd68b26aa547a2f8cb17f25df Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Tue, 21 Jan 2025 19:13:11 -0800 Subject: [PATCH 15/22] Update src/chains/sui/Sui Report.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Štěpán Šonský --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 26dc691..edd4998 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -90,7 +90,7 @@ However, historical incidents highlight the need for continuous vigilance: - **November 17, 2023:** An unspecified vulnerability was discovered and promptly patched across the mainnet, testnet, and devnet. While the issue did not escalate, it underscores the importance of proactive community engagement in identifying flaws. - **September 3, 2023:** A denial-of-service (DoS) vulnerability in Sui’s P2P protocol was reported by Beosin Alert. The vulnerability, which could deplete memory and crash nodes, was resolved in version 1.6.3. - **May 16, 2023:** A critical "billion-dollar bug" was identified during an audit by Xellic. The issue, which had the potential to cause significant disruptions, was patched effectively. -- **July 6, 2024:** Public RPC nodes were crashed when attempting to submit a transaction. +- **July 6, 2024:** Public RPC nodes crashed when attempting to submit a transaction. - **November 12, 2024:** Sui testnet validators don't accept new user transactions. The issue has been resolved. - **November 21, 2024 Mainnet Outage:** A major outage occurred due to a critical bug in the consensus mechanism, an unexpected issue in the transaction validation pipeline caused intermittent disruptions, and led to a halt in transaction processing for over 24 hours. The problem was [traced to an edge case](https://blog.sui.io/sui-mainnet-outage-resolution/) in transaction ordering and was resolved in version 1.8.2 of the protocol, but it exposed vulnerabilities in handling high-throughput scenarios. The incident also highlighted the need for improved disaster recovery mechanisms and validator coordination. SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn, Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. It is worth noting that no further audits have been conducted since April 2023. From 1edf406382fa4017f4b7d527e0406c3275b6993a Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:08:46 -0800 Subject: [PATCH 16/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index edd4998..d220b4c 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -56,7 +56,7 @@ The desirable properties related to Sui’s architecture and its integration wit ## Section 2: Network and Protocol Integrity ### 2.1 Network Architecture -Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience. +Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" (or ["fast path"](https://move-book.com/object/fast-path-and-consensus.html#fast-path)) and "complex" (or ["consensus path"](https://move-book.com/object/fast-path-and-consensus.html#consensus-path)), with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience. Key Architectural Features: - **Object-Based Accounting Model:** Combines features of UTXO and account-based models to enable granular state management, making it particularly suitable for complex dApps. From 0e1278456c377b4c0560858ee9c2aac7e0de6aee Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:08:57 -0800 Subject: [PATCH 17/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index d220b4c..f8f1e06 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -60,7 +60,7 @@ Sui is a Layer 1 blockchain that supports scalable, high-performance decentraliz Key Architectural Features: - **Object-Based Accounting Model:** Combines features of UTXO and account-based models to enable granular state management, making it particularly suitable for complex dApps. -- **Consensus:** The Sui Network relies on the Mysticeti DAG-based consensus algorithm, which improves upon Narwhal-Tusk. Mysticeti has been formalized in the form of [an academic research paper](https://arxiv.org/pdf/2310.14821) published on arXiv, with rigorous proofs of safety and liveness. Notably, Mysticeti achieves the optimal consensus latency of three network round trips, resulting in a ~4x latency reduction to Sui mainnet. Rather than relying on a single leader to propose a block, Mysticeti supports multiple validators proposing blocks in parallel, making use of the full bandwidth of the network. Moreover, validators who attempt to censor valid transactions are accountable. +- **Consensus:** The Sui Network relies on the Mysticeti DAG-based consensus algorithm, which improves upon Narwhal-Tusk. Mysticeti has been formalized in the form of [an academic research paper](https://arxiv.org/pdf/2310.14821) published on arXiv, with rigorous proofs of safety and liveness. Notably, Mysticeti achieves the optimal consensus latency of three network round trips, resulting in a ~4x latency reduction to Sui mainnet. Mysticeti's improved performance is also attributed to the use of specific ("owned") objects, which can be finalized via a 'fast path' that utilizes reliable broadcast instead of consensus. Fast path transactions have subsecond finality. Additionally, rather than relying on a single leader to propose a block, Mysticeti supports multiple validators proposing blocks in parallel, making use of the full bandwidth of the network. Finally, validators who attempt to censor valid transactions are accountable. - **Sponsored Transactions:** Unique mechanism allowing third parties to pay transaction fees, promoting accessibility. All computation fees and reward subsidies earned by a validator, minus its chosen commission rate, are shared with delegators. The validator receives the tokens charged as commission and a percentage of the rewards after removing the commission. This percentage equals the ratio of self-staked SUI against the total SUI staked to the validator. The second part of a validator’s rewards is sourced from the Storage Fund, which is funded by the storage fees involved in each transaction. Today’s validators process transactions occurring today and create data. If new validators join tomorrow, they will have to store data they were not rewarded to create. Storage fees included in each transaction fee are sent to the fund, which is used to reward tomorrow's validators with the storage fees paid today. Of note, the tokens held in the Storage Fund accrue rewards from its proportionate amount of the total staked supply. From f052ba4fc950a7c85298732c0f57e60e8b7cd0c9 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:09:11 -0800 Subject: [PATCH 18/22] Update src/chains/sui/Sui Report.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Štěpán Šonský --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index f8f1e06..f218435 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -64,7 +64,7 @@ Key Architectural Features: - **Sponsored Transactions:** Unique mechanism allowing third parties to pay transaction fees, promoting accessibility. All computation fees and reward subsidies earned by a validator, minus its chosen commission rate, are shared with delegators. The validator receives the tokens charged as commission and a percentage of the rewards after removing the commission. This percentage equals the ratio of self-staked SUI against the total SUI staked to the validator. The second part of a validator’s rewards is sourced from the Storage Fund, which is funded by the storage fees involved in each transaction. Today’s validators process transactions occurring today and create data. If new validators join tomorrow, they will have to store data they were not rewarded to create. Storage fees included in each transaction fee are sent to the fund, which is used to reward tomorrow's validators with the storage fees paid today. Of note, the tokens held in the Storage Fund accrue rewards from its proportionate amount of the total staked supply. -Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approx. 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (inc. Mysten Labs) are operating approx 22% of the total staked assets. +Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approximately 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (including Mysten Labs) are operating approximately 22% of the total staked assets. ### 2.2 Governance and Compliance From 29548810313942df4de032d5400aabd0ba29650d Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:09:49 -0800 Subject: [PATCH 19/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index f218435..12db2ce 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -66,6 +66,10 @@ All computation fees and reward subsidies earned by a validator, minus its chose Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approximately 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (including Mysten Labs) are operating approximately 22% of the total staked assets. +Each validator's consensus voting power is determined by the amount of SUI they have staked, relative to the total SUI staked across the network. However, to prevent over-concentration of influence, an individual validator's voting power is capped at a maximum of 10% of the total. + +Moreover, Sui has implemented a voting-based mechanism for validator slashing. By default, all validators are marked as honest. If a validator A observes misbehavior by validator B, then A can report B by manually running [a specific command](https://docs.sui.io/guides/operator/validator-config#validator-slashing-and-tallying-rule). If validators [with an aggregate power of more than two-thirds](https://github.com/MystenLabs/sui/blob/ca155f399df75a25c695c940c5fc210e8c4c725a/nre/sui_for_node_operators.md?plain=1#L311) report the same validator B for misbehavior, then [all of B's rewards get slashed](https://github.com/MystenLabs/sui/blob/ca155f399df75a25c695c940c5fc210e8c4c725a/crates/sui-protocol-config/src/lib.rs#L2324). Note that only the rewards of validators are slashed, not their stake. Validators who wish to leave the validator set can immediately withdraw their stake without having to wait for any delay period to end. To the best of our knowledge, there is no formal and rigorous economic analysis of the impact, efficiency, and potential hazards of the implemented slashing mechanism. + ### 2.2 Governance and Compliance Sui’s governance framework is currently centralized, with decisions predominantly directed by the Sui Foundation and Mysten Labs. The network lacks an active decentralized governance model as of December 2024. However, plans to integrate governance through staked SUI tokens have been proposed, where voting power would correspond to combined self-staked and delegated tokens, capped at 10% per validator to prevent centralization. From ead5d9fd2cf6cb3932d9db425cb554a53278c0fb Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:10:04 -0800 Subject: [PATCH 20/22] Update src/chains/sui/Sui Report.md Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 12db2ce..a875205 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -77,7 +77,7 @@ Key Governance Insights: - Community proposals follow the SIP (Sui Improvement Proposal) process. While the community can signal support, the project team makes the final decisions. - Regulatory considerations are actively managed by Mysten Labs, which maintains compliance with U.S. legal frameworks. - The absence of a robust, decentralized governance mechanism may limit community-driven innovation but ensures streamlined decision-making during the network’s early stages. -Sui was founded in 2021 by Evan Cheng, Adeniyi Abiodun, Sam Blackshear, George Danezis, and Kostas Chalkias to continue the work performed while employed by Meta. In June 2019, Facebook, which later rebranded to Meta, announced its plans to build a permissioned blockchain and a digital wallet that would underlie a global payment network. Meta spearheaded an independent consortium called the Diem Association (originally the Libra Association) that was responsible for building the blockchain. Meta’s subsidiary Novi Finance (originally Calibra) was responsible for developing the digital wallet. Neither product was successful. The Diem Association shut down due to regulatory hurdles and sold all its assets in January 2022. Meta ended the Novi project later that year due to calls from the United States Senate. Two separate blockchains emerged from the initial Diem and Novi research: Aptos and Sui. Mysten Labs, Inc., one of the centralized entities supporting Sui, was formed to build something new from research conducted during the Diem Association’s life. +Sui was founded in 2021 by Evan Cheng, Adeniyi Abiodun, Sam Blackshear, George Danezis, and Kostas Chalkias to continue the work performed while employed by Meta. In June 2019, Facebook, which later rebranded to Meta, announced its plans to build a permissioned blockchain and a digital wallet that would underlie a global payment network. Meta spearheaded an independent consortium called the Diem Association (originally the Libra Association) that was responsible for building the blockchain. Meta’s subsidiary Novi Finance (originally Calibra) was responsible for developing the digital wallet. The Diem Association shut down due to regulatory hurdles and sold all its assets in January 2022. Meta ended the Novi project later that year due to calls from the United States Senate. Two separate blockchains emerged from the initial Diem and Novi research: Aptos and Sui. Mysten Labs, Inc., one of the centralized entities supporting Sui, was formed to build something new from research conducted during the Diem Association’s life. --- From 25cd883583cedeae194271797f83feb9c01b6d70 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:10:59 -0800 Subject: [PATCH 21/22] Apply suggestions from code review Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index a875205..9367099 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -86,23 +86,24 @@ Sui was founded in 2021 by Evan Cheng, Adeniyi Abiodun, Sam Blackshear, George D ### 3.1 Smart Contract Security and Vulnerabilities Sui’s smart contracts are written in Sui Move, a Rust-based programming language derived from the Move language developed at Meta. This language offers enhanced safety features, including: - **Type Safety:** Reduces vulnerabilities by ensuring strict data type adherence. -- **Resource-Oriented Programming:** Prevents double-spending and unauthorized state changes by enforcing ownership and access rules. +- **Resource-Oriented Programming:** Prevents double-spending and unauthorized state changes by enforcing ownership and access rules at the language level. - **Formal Verification:** Facilitates rigorous testing and validation of smart contracts to minimize bugs. Testing and debugging mechanisms for Sui’s smart contracts include modular code organization, ownership rules, and structured data flow that allow developers to easily test and debug contracts. Developers are encouraged to employ local testing environments, implement explicit error-handling mechanisms, and regularly verify contracts using Move Prover. Recent updates to development tools also enhance debugging processes and streamline integration with Sui's broader ecosystem. +- **On-Chain Randomness**: Enables the generation of secure pseudo-randomness within Move smart contracts. However, historical incidents highlight the need for continuous vigilance: - **November 17, 2023:** An unspecified vulnerability was discovered and promptly patched across the mainnet, testnet, and devnet. While the issue did not escalate, it underscores the importance of proactive community engagement in identifying flaws. - **September 3, 2023:** A denial-of-service (DoS) vulnerability in Sui’s P2P protocol was reported by Beosin Alert. The vulnerability, which could deplete memory and crash nodes, was resolved in version 1.6.3. - **May 16, 2023:** A critical "billion-dollar bug" was identified during an audit by Xellic. The issue, which had the potential to cause significant disruptions, was patched effectively. - **July 6, 2024:** Public RPC nodes crashed when attempting to submit a transaction. -- **November 12, 2024:** Sui testnet validators don't accept new user transactions. The issue has been resolved. -- **November 21, 2024 Mainnet Outage:** A major outage occurred due to a critical bug in the consensus mechanism, an unexpected issue in the transaction validation pipeline caused intermittent disruptions, and led to a halt in transaction processing for over 24 hours. The problem was [traced to an edge case](https://blog.sui.io/sui-mainnet-outage-resolution/) in transaction ordering and was resolved in version 1.8.2 of the protocol, but it exposed vulnerabilities in handling high-throughput scenarios. The incident also highlighted the need for improved disaster recovery mechanisms and validator coordination. +- **November 12, 2024:** Sui testnet validators stopped accepting new user transactions. The issue has been resolved. +- **November 21, 2024 Mainnet Outage:** A major outage occurred on Sui Mainnet due to a critical bug in Sui's consensus mechanism. An unexpected issue in the transaction validation pipeline caused intermittent disruptions and resulting in transaction processing halting for over 24 hours. The problem was [traced to an edge case](https://blog.sui.io/sui-mainnet-outage-resolution/) in transaction ordering and was resolved in version 1.8.2 of the protocol, but it exposed vulnerabilities in handling high-throughput scenarios. The incident also highlighted the need for improved disaster recovery mechanisms and validator coordination. SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn, Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. It is worth noting that no further audits have been conducted since April 2023. ### 3.2 Risks and Concerns Recent incidents have also highlighted systemic risks. The November 2024 mainnet outage, caused by a critical bug in the consensus mechanism, disrupted transaction processing for over 24 hours. This incident exposed vulnerabilities in transaction ordering and underscored the need for robust disaster recovery mechanisms and better validator coordination. In addition, the lack of audits since April 2023 leaves the network vulnerable to undiscovered security flaws. -Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Narwhal and Tusk consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation. +Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Mysticeti consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation. Sui has introduced significant upgrades, such as version 1.9.0, aimed at improving performance and enhancing fault tolerance. However, these updates often bring added complexity, which, if not thoroughly tested, could introduce new vulnerabilities. Notably, recent findings by security firms have identified edge cases in Sui's transaction validation pipeline that require further mitigation efforts. Finally, while the Narwhal and Tusk mechanisms provide high throughput and resilience, their reliance on validator coordination in high-load scenarios remains a critical area of focus. Ensuring decentralized participation and seamless fallback mechanisms will be essential to maintaining trust and security across the network. From 38fb740a607c1671ac916123bec68f4cac2b8cf1 Mon Sep 17 00:00:00 2001 From: lspano-gif <127908457+lspano-gif@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:11:26 -0800 Subject: [PATCH 22/22] Apply suggestions from code review Co-authored-by: Nikolaos Kamarinakis --- src/chains/sui/Sui Report.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/chains/sui/Sui Report.md b/src/chains/sui/Sui Report.md index 9367099..e2beb74 100644 --- a/src/chains/sui/Sui Report.md +++ b/src/chains/sui/Sui Report.md @@ -131,7 +131,7 @@ Summary of findings from Sui CGP audits (Reported-Fixed-Acknowledged): No audit report for [Sui Amplifier](https://github.com/axelarnetwork/axelar-amplifier/tree/main/ampd/src/sui) code was provided. ### 4.2 Understanding of Deployment and Maintenance Plans -Deployment scripts for Sui Axelar components are provided, and the process is well documented in the [Axelar repository](https://github.com/axelarnetwork/axelar-contract-deployments/tree/main/sui#sui-deployment-scripts). The code is well-structured, and [Ackee](https://ackee.xyz/) did not identify any best practices violations in the development scripts. +Deployment scripts for Sui Axelar components are provided, and the process is well documented in the [Axelar contract deployments repository](https://github.com/axelarnetwork/axelar-contract-deployments/tree/main/sui#sui-deployment-scripts). The code is well-structured, and [Ackee](https://ackee.xyz/) did not identify any best practices violations in the development scripts. ### 4.3 Mitigation of Potential Risks Sui and Axelar confirm that the system includes proper logging and mechanisms to resolve unusual situations in the network to avoid further damage to the network and users' funds. Sui performs continuous security monitoring and a proactive approach to vulnerability management. @@ -139,11 +139,11 @@ Sui and Axelar confirm that the system includes proper logging and mechanisms to --- ## Conclusion -The Sui integration with Axelar Network presents a significant opportunity to expand interoperability and enable seamless cross-chain transactions for developers. The evaluation highlights Sui’s strengths, including its innovative Move-based programming model, object-based accounting system, and high transaction throughput enabled by Narwhal and Tusk consensus. Axelar’s integration components demonstrate strong adherence to best practices, with thorough audits and well-documented deployment plans. +The Sui integration with Axelar Network presents a significant opportunity to expand interoperability and enable seamless cross-chain transactions for developers. The evaluation highlights Sui’s strengths, including its innovative Move-based programming model, object-based accounting system, and high transaction throughput enabled by Mysticeti consensus. Axelar’s integration components demonstrate strong adherence to best practices, with thorough audits and well-documented deployment plans. Despite these strengths, the assessment identified critical areas for improvement. Sui’s centralized governance, recent mainnet outage, and limited audits since 2023 raise concerns about network resilience and community engagement. Historical vulnerabilities, including denial-of-service (DoS) and transaction validation bugs, emphasize the need for robust security mechanisms. The complexity of Sui’s architecture and reliance on validator coordination in high-load scenarios necessitate enhanced fault tolerance and operational readiness. -The integration offers Sui developers access to broader liquidity pools and interoperable dApps, fostering innovation across the ecosystem. To realize these benefits, addressing security risks, decentralization challenges, and governance gaps will be critical. By implementing proactive measures such as expanded audits, improved disaster recovery plans, and decentralized decision-making, Sui can solidify its position as a secure and scalable blockchain within the Axelar Network ecosystem. +The integration offers Sui developers access to broader liquidity pools and interoperable dApps, fostering innovation across the ecosystem. To realize these benefits, addressing security risks, decentralization challenges, and governance gaps will be critical. By implementing proactive measures such as expanded audits and bug bounty programs, improved disaster recovery plans, and decentralized decision-making, Sui can solidify its position as a secure and scalable blockchain within the Axelar Network ecosystem. ---