Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

Infrastructure Audit Full Details

Charli3

--

CHARLi3 — V3 Architecture Audit

Proposal:

https://projectcatalyst.io/funds/11/cardano-use-cases-product/charli3-v3-architecture-audit

Statement of Milestones: https://milestones.projectcatalyst.io/projects/1100094

Project ID: 1100094

March 2024 — Nov 14 2024 (Final report public in Jan 2025)

Summary

“What products and integrations can be accelerated to offer more high-impact use cases at scale that drive more adoption in the Cardano ecosystem?”

“The Cardano Use Cases: Product category is aimed towards projects and teams that are looking to enhance existing products, services, or innovative business propositions by significantly extending the features of pre-existing products that are already available in the market.”

Given the above goal of the category, we contracted Anastasia Labs to fully audit Charli3’s Decentralized Oracle System from end-to-end. This audit included reviewing every line of our back-end, on-chain, and node software code, doing general security reviews, and carefully scrutinizing our support monitoring systems.

This audit helped the Charli3 team identify areas of improvement to enable scaling. Our team was particularly focused on our ability to handle volatile bull market conditions in 2025 and scaling our node operator network size.

List of project KPIs and how the project addressed them

  1. Contract audit team

After engaging with several audit teams, we decided to sign with Anastasia Labs because of the technical ability of their team, specialization in Cardano, and their values for what is important in a Web3 solution aligned with Charli3 (e.g. decentralization, utility, transparency, and security are the most important goals).

Information on meeting this goal: https://milestones.projectcatalyst.io/projects/1100094/milestones/1

Audit on-chain code

Anastasia Labs completed this step during milestone 2: https://milestones.projectcatalyst.io/projects/1100094/milestones/2

Results: https://drive.google.com/file/d/1L3oMIi6Ynm6e13c0kef0bTvOZsHxezCy/view

Audit off-chain code

Anastasia Labs completed this step during milestone 2: https://milestones.projectcatalyst.io/projects/1100094/milestones/2

Results: https://drive.google.com/file/d/1L3oMIi6Ynm6e13c0kef0bTvOZsHxezCy/view

Audit node software

Anastasia Labs completed this step during milestone 2: https://milestones.projectcatalyst.io/projects/1100094/milestones/2

Results: https://drive.google.com/file/d/1L3oMIi6Ynm6e13c0kef0bTvOZsHxezCy/view

Audit alert and monitoring systems

Anastasia Labs completed this step during milestone 3:

https://milestones.projectcatalyst.io/projects/1100094/milestones/3

Results: https://drive.google.com/file/d/1-SQRfKaqc-Bt-orikVrRGMIBEj-XUDpR/view

General security review

Anastasia Labs completed this step during milestone 3:

https://milestones.projectcatalyst.io/projects/1100094/milestones/3

Results: https://drive.google.com/file/d/1-SQRfKaqc-Bt-orikVrRGMIBEj-XUDpR/view

Apply any recommended changes

The Charli3 team completed this step during milestone 4: https://milestones.projectcatalyst.io/projects/1100094/milestones/4

Results: https://drive.google.com/file/d/1-SQRfKaqc-Bt-orikVrRGMIBEj-XUDpR/view

Receive a certified audit report indicating we passed the audit

Anastasia Labs gave Charli3 a passing audit report after significant changes and recommendations were implemented during milestone 5: https://milestones.projectcatalyst.io/projects/1100094/milestones/5

Final Certified Audit Report: https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:78c3bce8-62a8-4685-b334-cfd6fcc76947?viewer%21megaVerb=group-discover

Public Announcement by Anastasia Labs: https://x.com/AnastasiaLabs/status/1873762896716448095

Key learnings

The audit helped the Charli3 team identified immediate changes to our solution to enhance accuracy, performance, reliability, and security of our oracle networks. Furthermore, the audit contributed to long term roadmap planning.

See below for a more detailed account of our learnings:

The audit by Anastasia Labs helped the Charli3 team:

  • Have peace of mind that there were no critical or major issues in any of our code and systems. This, in turn, helps increase trust of our solution to customers and prospective customers in the Cardano ecosystem.
  • Three medium priority issues were identified. The identification of these issues significantly improved the Charli3 service offering.
  • Firstly, we acknowledged an issue where one or many of the several admin multi-signature key holders could be unavailable (lost, stolen, etc.) preventing any future changes to the oracle feed. In response to this issue, we’ve made contract and policy changes to compensate customers for launching a new feed and replenishing any lost tokens in the contract (in the event that they want to shut down or change a feed parameter but cannot do so). As a long term plan, we plan to implement technical failsafes to make such scenarios more manageable.
  • Secondly, Anastasia pointed out that nodes do not have a retry mechanism in the event that a data source API is unresponsive leading to less data sources as input for an aggregation. Additionally, we enhanced our rate limit function. Both these code changes improve our oracle network performance.
  • Thirdly, Anastasia Labs identified a similar rate limit and retry mechanism enhancement for our alert and monitoring systems. Node software constantly monitors data sources to trigger deviation price updates. This applies to that function. The solution we implemented added these functions and alerts.
  • 6 Low priority issues were identified. Without going into the details already provided in the full audit report. The key learnings from this audit was ways to improve our accuracy, reliability, security, and performance of the oracle price feeds. Every change added to the enhancement of our service, a critical infrastructure layer service vital to successful DeFi during volatile bull markets.
  • 7 Information issues were identified. Likewise, most of these issues we applied recommended changes and, if not, made long term plans to address them. Getting external third party feedback was invaluable to formulating a long term roadmap.

Next steps for the product or service developed

Charli3 is releasing version 2 of our pull-based oracle service in Q1 2025 that enables users to request data on demand instead of receiving data on a scheduled frequency. This will lower costs and enable integrated payment methods for DeFi solutions (data costs can be tied to transaction costs within protocols).

Charli3 is releasing a Substrate Partnerchain upgraded infrastructure in Q2 2025 that can enable 20+ nodes in a network and provide the fastest and lowest cost Oracle solution on Cardano.

Learnings from the audit will apply to future enhancements and new infrastructure development.

Final thoughts/comments

Anastasia Labs are a fantastic team with talented developers. They helped the Charli3 team identify issues to enhance our service, remarkably since we’ve been building since 2021 and have successfully passed a previous audit. Their contribution through the audit makes an immediate impact on our current service and will impact the quality of our future infrastructure upgrades.

Important links

Proposal:

https://projectcatalyst.io/funds/11/cardano-use-cases-product/charli3-v3-architecture-audit

Statement of Milestones:

Project Catalyst - Milestone Module

Edit description

milestones.projectcatalyst.io

Milestone 1

Description:

  1. Collected estimates including timeline and scope of audit
  2. Signed a contract with Anastasia Labs (contract not available for public view as per request by the lab)
  3. Agreed on detailed roadmap: 2 weeks of discovery, 8 weeks of line by line audit of all systems listed in our article below, and a final phase of remedies including support from an external team to implement any fixes (overall timeline 8–16 weeks)

Deliverables:

Link to medium article that contains all the evidence required: https://oraclecharli3.medium.com/charli3-auditors-anastasia-labs-cb1f359c8f00

Anastasia Labs Estimate (236k ADA): https://drive.google.com/file/d/1QHQKblMUcavRc67u58n89iQL1wi4vhFV/view?usp=sharing

More details in the medium article including TxPipes estimate (180k USD), CertiK did not pursue as their expertise since 2021 has shifted away from Cardano.

Milestone 2

Description:

  1. Collected estimates including timeline and scope of audit
  2. Signed a contract with Anastasia Labs (contract not available for public view as per request by the lab)
  3. Agreed on detailed roadmap: 2 weeks of discovery, 8 weeks of line by line audit of all systems listed in our article below, and a final phase of remedies including support from an external team to implement any fixes (overall timeline 8–16 weeks)

Deliverables:

Link to medium article that contains all the evidence required: https://oraclecharli3.medium.com/charli3-auditors-anastasia-labs-cb1f359c8f00

Anastasia Labs Estimate (236k ADA): https://drive.google.com/file/d/1QHQKblMUcavRc67u58n89iQL1wi4vhFV/view?usp=sharing

More details in the medium article including TxPipes estimate (180k USD), CertiK did not pursue as their expertise since 2021 has shifted away from Cardano.

Milestone 3

Note: there was only one finding/issue from the Alert and Monitoring of the Internal architecture and it is described by ID-201 : Health check API for Node and the Slack Alert Services in the report. Anastasia decided to only describe two sections, thanks for your patience reviewers! Let me know if we need to resubmit with a clearer report.

  1. Please find the official Anastasia Labs Report for milestone 3 that covers all 4 areas required for this output: https://drive.google.com/file/d/1-SQRfKaqc-Bt-orikVrRGMIBEj-XUDpR/view?usp=sharing
  2. Please find a medium article with all the details summarized again for public view: https://oraclecharli3.medium.com/audit-b2b71d83d589

Milestone 4

Please find a medium article and a link to an audit report (PDF) that contains:

  1. List of issues that must required remedy
  2. All issues requiring remediation completed
  3. Report on all issues, all issues resolved, and all pending (and why); in the event that we fail the audit, we will provide in this article a public roadmap for resolving any issues.
  4. Confirmation by Anastasia Labs (individually signed off in the report) that Charli3 successfully resolved all issues required to pass the audit

Medium Article: https://oraclecharli3.medium.com/charli3-audit-update-afed760fd76d

Audit Report with Resolutions: https://drive.google.com/file/d/1-SQRfKaqc-Bt-orikVrRGMIBEj-XUDpR/view?usp=sharing

Milestone 5

Final Certified Audit Report: https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:78c3bce8-62a8-4685-b334-cfd6fcc76947?viewer%21megaVerb=group-discover

Public announcement by Anastasia Labs: https://x.com/AnastasiaLabs/status/1873762896716448095

Medium Article (Charli3.io Public): https://oraclecharli3.medium.com/charli3-audit-milestone-5-fb8d738c334d

Github Repos for review:

https://github.com/Charli3-Official

Total Cost Sheet:

https://docs.google.com/spreadsheets/d/1Bl4XDbzWsJUsVmRfRHlJhHk0TXztaB_qReCJ499sjw8/edit?usp=sharing

Final Certified Audit Report: https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:78c3bce8-62a8-4685-b334-cfd6fcc76947?viewer%21megaVerb=group-discover

Public Announcement by Anastasia Labs: https://x.com/AnastasiaLabs/status/1873762896716448095

Link to Close out video — must be either YouTube or Vimeo link only

https://vimeo.com/1064523188/3faaa82ba7?share=copy

--

--

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams