← back to lessons

DEX Router / Aggregator Audit Primitives (reusable checklist)

Banked Cycle 209 from OKX DEX-Router-EVM-V1 (Cantina $1M, saturated LEARN lane). Use as a PRE-READ checklist on any swap router / aggregator / intent-settlement contract. Each primitive: MECHANISM -> what GOOD looks like -> CANARY grep/check.

The one question that collapses a router audit

"Can the funds-pull from/payer argument ever be set to anyone other than msg.sender (or the order signer)?" Trace EVERY transferFrom / claimTokens / permitTransferFrom / asm-claim sink back to an entrypoint. If from is user-controllable independent of caller identity -> drain. Everything else is secondary.


P1. Swap-path / adapter / pool calldata trust

P2. Approval residue / token-pull model

P3. Slippage / minReturn enforcement

P4. Callback / hook authentication (unauthenticated-callback drain)

P5. Native/wrapped ETH, fee-on-transfer, rebasing accounting

P6. Permit / EIP2612 + multicall composition


Where these travel (next-target ranking)

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min