Audit Overview
Client
Rujira
Blockchain
Rujira (THORChain)
Service
Smart Contract Security Audit
Audit Period
January 29 – February 13, 2026
Scope
Rujira Fin v1.2 (Order Book, Ranges, BOW)
Repository
gitlab.com/thorchain/rujira (fin/v1.2)
About Rujira Fin
Rujira Fin is a hybrid order book DEX built with CosmWasm on Rujira, THORChain's omnichain app layer. It combines limit orders, oracle-priced orders, and automated range-based liquidity into a single unified trading engine. The system supports swaps, limit order placement, and range-based LP positions—with BOW (an automated market-making module) providing protocol-managed liquidity across the order book.
The architecture is notably complex: order matching operates across fixed-price limit orders, oracle-anchored pools, and range orders that distribute liquidity across configurable tick intervals. Oracle pools use THORChain's native price feeds with basis-point offsets, while range orders implement a Fenwick-tree-based distribution system for capital-efficient liquidity provision. This multi-layer design creates a rich trading experience but introduces significant security surface across order routing, fee enforcement, tick transitions, and iterator correctness.
Summary of Findings
Our review identified ten security findings across the contract suite: two critical, one high, five medium, one low, and one informational severity. Seven findings have been resolved, and three were acknowledged with operational mitigations or design rationale.
| Severity | Total | Resolved | Acknowledged |
|---|---|---|---|
| Critical | 2 | 2 | – |
| High | 1 | – | 1 |
| Medium | 5 | 4 | 1 |
| Low | 1 | – | 1 |
| Informational | 1 | 1 | – |
| Total | 10 | 7 | 3 |
Key Findings
Zero-Rate Oracle Pool Enables Direct Fund Theft
CriticalResolvedAn Oracle(-10000) pool—configured with a −100% basis-point offset—sets the effective swap rate to zero. Any user can create such a pool then route swaps through it via ExecuteMsg::Swap. The victim sends real tokens into the pool but receives nothing in return because the zero rate truncates the output to zero. The attacker, as the sole liquidity provider, then withdraws the victim's deposited tokens as profit—achieving direct theft of swap user funds with no special privileges required.
Resolution: Added a guard that rejects any oracle pool where the absolute basis-point offset would drive the effective rate to zero or negative, preventing the creation of exploitable zero-rate pools.
Unauthorized Range Transfer via Sender Spoofing
CriticalResolvedThe Arb and DoRange message handlers accepted a caller-supplied sender field without verifying it against info.sender. An attacker could spoof any address as the sender, enabling unauthorized transfer, withdrawal, or modification of another user's range-based LP positions—effectively stealing their liquidity. This required no special privileges and could be executed by any on-chain actor.
Resolution: Replaced the caller-supplied sender with info.sender from the message context, ensuring only the authenticated caller can act on their own positions.
Swapper Underflow DoS via Consumed-Offer Overflow
MediumResolvedIn bid_pool::distribute_full, the consumed offer amount could exceed the passed offer due to rounding in partial-fill arithmetic. When propagated back to the swap loop, the subtraction offer -= consumed underflows, panicking the contract and permanently blocking swaps for that trading pair. A single carefully-sized swap could trigger this condition, causing a denial-of-service on the affected pool.
Resolution: Clamped the consumed value to never exceed the passed offer amount, preventing the underflow and ensuring swap continuity.
Tick Change Strands Fixed-Price Orders
MediumResolvedWhen an admin changes the tick spacing for a pool, any existing fixed-price limit orders placed at the old tick values become stranded—they no longer align with valid ticks and can never be matched by the order book iterator. Users cannot cancel these orders through normal flows either, effectively locking their funds in unreachable orders with no recovery path.
Resolution: Added a migration mechanism that automatically re-aligns or cancels stranded orders when tick spacing is modified, ensuring user funds remain accessible after configuration changes.
Rujira's Security Posture
The Rujira team demonstrated strong security responsiveness throughout the engagement. Both critical findings—the zero-rate oracle pool theft and the sender spoofing vulnerability—were resolved promptly with clean, targeted fixes. Of the ten total findings, seven were resolved while three were acknowledged with clear operational rationale.
The critical findings highlight the challenges inherent in building a multi-modal order book: the zero-rate pool emerged from the interaction between oracle pricing and basis-point offsets, while the sender spoofing was a classic access control gap in message handlers that accept caller-supplied identity. Both are patterns that arise when composing complex DeFi primitives and underscore the value of thorough security review.
The acknowledged findings—including the BOW fee interaction, unbounded iteration, and recursive range iterator—reflect known design trade-offs where operational controls and gas limits provide sufficient mitigation for the current deployment context.
FailSafe's Closing Remarks
Rujira Fin is one of the more architecturally ambitious DEX designs we've audited—combining fixed-price orders, oracle-anchored pools, and range-based liquidity in a single CosmWasm contract. The audit spanned oracle trust boundaries, access control in message routing, arithmetic precision in partial fills, iterator correctness across tick transitions, and fee enforcement in the BOW market-making layer.
We look forward to continuing our security partnership with the Rujira team as the protocol evolves. The breadth of findings across different subsystems demonstrates the depth of review that complex DeFi infrastructure demands, and we are confident that Fin v1.2 is in a strong position following the remediation of all critical and medium-severity issues.
Looking for an Elite Audit?
Whether you're building a hybrid DEX, an order book engine, or automated market-making infrastructure, our team combines deep technical expertise with real-world attack simulation to uncover the vulnerabilities that matter.
Contact Our Security TeamReady to Secure Your Protocol?
Get in touch with our security experts for a comprehensive audit.
Learn About Smart Contract Audits