Sonic Audit Report

5 min readSep 19, 2023

We are thrilled to share some exciting news with our Sonic community today. After months of hard work and dedication, we are proud to announce that Sonic has successfully completed its comprehensive auditing process. This milestone is a testament to our commitment to transparency, security, and reliability in the world of decentralized exchanges.

We extend our heartfelt gratitude to the diligent auditors who played a crucial role in this process. Their expertise and attention to detail have been invaluable in ensuring the robustness of our platform. You can access the full audit report here —

This marks a significant milestone for Sonic and the entire ICP ecosystem. Sonic is now proud to be the only audited and completely open-source decentralized exchange, ready to seamlessly integrate with the SNS.

We couldn’t have reached this point without the unwavering support of our community. Your feedback, engagement, and trust have been instrumental in our journey, and we are deeply grateful for it.

As we move forward, our commitment to excellence remains unwavering. We will continue to prioritize security, transparency, and innovation to provide you with the best decentralized exchange experience possible.

Thank you for being part of the Sonic community, and stay tuned for more exciting updates on our journey to redefine decentralized finance!

Resolved and unresolved issues

In the spirit of transparency and continuous improvement, we would like to provide you with resolutions for every issue pointed out in the audit report:

SS-SONIC-025: expecting in future updates, not a major issue now
(non-security related)

SS-SONIC-029: expecting future updates (non-security related)

Since we are still anticipating a few minor updates, we will be creating a separate repo for developers/contributors to easily setup the environment (docker) which will be useful for both swap v1 and v2

SS-SONIC-033: not resolved (security related)

Swap V2 will be focusing on canister scalability using a multi-canister architecture for states.

SS-SONIC-014: not resolved ( the listed functions are needed for future UX updates ) (security related)

The publicly exposed functions will be part of our future UI/UX updates

SS-SONIC-015: expecting future updates (security related)

We’re investigating some issues with sns launched icrc1 canisters to get proper error details

SS-SONIC-030: not resolved (non-security related)

Discontinuation of WICP/XTC canisters considering icrc2 and new cycles ledger(XTX) development from dfinity

SS-SONIC-028: not resolved (non-security related)

Discontinuation of WICP/XTC canisters considering icrc2 and new cycles ledger(XTX) development from dfinity

SS-SONIC-020: not resolved (non-security related)

Considering our developments related to the upcoming rebranding of UI we are planning to add more Unit and E2E tests in the upcoming version (sonic-app-v2)

SS-SONIC-002: expecting in future updates (non-security related)

We’re still investigating a proper way to migrate existing data before moving to an alternative data structure like Buffer

SS-SONIC-025: Export balances might exceed max response size (non-security related)
After a thorough evaluation, we have determined that this is a low-severity, non-security-related issue. However, we will take it into account for future considerations, particularly during the V2 release.

SS-SONIC-029: Non-functional scripts in testnet due to missing components (non-security related)
This issue pertains to our product testing efforts and falls into the low-severity, non-security-related category. We plan to address it in the upcoming product release, specifically in V2. As we are still anticipating a few minor updates, we intend to establish a separate repository for developers and contributors. This separate repository will facilitate the setup of the environment, particularly through Docker, which will be beneficial for both Swap V1 and V2.

SS-SONIC-033: Scalability of canisters (security related)
Currently, we are in the V1 phase, while the development of V2 is underway. We are preparing to introduce V2 with a multi-canister architecture, which will enhance the scalability of Swap V2 by utilizing multiple canisters for state management. In our progress towards V2, we have successfully completed the development of the canisters and backend components. The next steps involve commencing front-end implementation, which will follow the ongoing work on the new user interface update. The scope has increased after we started the development of Perpetual contracts and we are now working on further updates to enhance the platform’s capability to support perps and Synthetic tokens.

SS-SONIC-014:Unused public functions (security related)
In our Swap system, we have incorporated certain public functions that are currently not in use by the frontend. However, these functions have been implemented in anticipation of upcoming UX updates planned for the next quarters. We have taken the necessary precautions to prevent potential issues or conflicts related to these functions.

SS-SONIC-015: deposit error transparency (security related)

We have conducted an analysis of this matter and determined that its severity is quite low. We plan to address and update it promptly. Concurrently, we are actively investigating certain issues with the SNS-launched ICRC1 canisters in order to obtain accurate error details.

SS-SONIC-030: Build failure in wicp/xtc due to with missing crates (non security related)

Dfinity is currently developing the Cycles ledger, which will support ICRC2 and ICRC3, with an estimated launch date in Q4 2023. We plan to collaborate with Dfinity to eventually migrate XTC to the Cycles ledger. As we do not foresee a future for XTC and WICP, we have made the decision to discontinue any further updates for both canisters. However, we remain committed to offering support to our users for any issues related to XTC and WICP. (This is for assigning our valuable resources to more futuristic developments) Our goal is for everything to transition to XTX by 2024. More detailed information and guidelines will be announced at a later date.

SS-SONIC-028: Use of private Rust crates not under Sonic’s control (non-security related)

This also pertains to WICP and XTC. As previously mentioned, since we are in the process of migrating to Dfinity XTX, we have decided not to pursue further updates for these platforms. Instead, we will continue to offer customer support to assist our users. This is for assigning our valuable resources to more futuristic developments.

SS-SONIC-020: Missing frontend tests (non-security related)
This is currently under consideration as we focus on updating the Sonic UI and branding. These updates are part of our preparations for the upcoming perpetual and Swap V2 launches. In the next version, sonic-app-v2, we have plans to incorporate additional Unit and End-to-End (E2E) tests.

SS-SONIC-002: Deprecated function usage (non-security related)

We have conducted a thorough analysis of this issue and have made the decision to implement it in conjunction with the next release. Concurrently, we are actively exploring the most suitable method for migrating existing data before transitioning to alternative data structures, such as Buffer or TrieMap.