Introduction to Race Protocol

Race Protocol is a multi-chain infrastructure designed to facilitate the development and deployment of secure and fair web3 games, particularly asymmetric competitive games. It offers developers a comprehensive set of tools and features, including on-chain account management, P2P randomization, encrypted communication, and transparent token settlements. These functionalities aim to simplify web3 game development while ensuring fairness and security for players.

This security audit was conducted to assess the overall security posture of Race Protocol and identify any potential vulnerabilities within its smart contracts, WebAssembly components, client-side SDK, and server-side implementations. The audit focused on evaluating the following aspects:

• Smart Contract Security: The audit reviewed the smart contract code for vulnerabilities such as reentrancy, access control issues, and logic errors. The use of best practices for smart contract development was also assessed.

• WebAssembly Security: The audit analyzed the WASM game bundles for potential vulnerabilities like memory safety issues or malicious code injection. The security of the WASM runtime environment and its isolation from the client application were also evaluated.

• Client-side Security: The audit assessed the security of the Race SDK, its interaction with the Transactor server, and the handling of sensitive information and secret keys on the client side.

• Server-side Security: The audit reviewed the Transactor and validator server implementations for potential vulnerabilities, such as insecure communication or data handling practices. The security of the P2P randomization process and server-side security measures were also evaluated.

• Randomization and Encryption: The audit assessed the security of the mental poker algorithm implementation and the strength of the encryption methods used for communication and data protection.

• On-chain Account Management: The audit reviewed the security of on-chain account creation, access control, and management processes for game accounts, game bundle accounts, player profiles, and registration accounts.

• Synchronization Mechanisms: The audit evaluated the effectiveness of the access and settle versions in ensuring consistent game state synchronization across different nodes and the event-driven architecture's ability to handle asynchronous updates and network delays.

• Payment Handling: The audit assessed the security and transparency of the recipient account mechanism for managing complex payments and the claiming process for receivers.

The audit employed a combination of manual code review, automated vulnerability scanning, and penetration testing techniques. The scope of the audit covered the core Race Protocol components, including the smart contracts, WASM game bundles, Race SDK, and server implementations.

The audit identified several potential vulnerabilities and areas for improvement within the Race Protocol ecosystem. These findings, along with detailed recommendations for addressing them, are presented in the full audit report.