Summary

Milkomeda operates an Algorand rollup service, which serves as a Layer 2 Ethereum Virtual Machine (EVM) service using Algorand Layer 1. The rollup service comprises several core components, including Observer, Batcher, TxQueue, and Web Server.

During the security assessment, issues ranging in severity from critical to note (informational) were identified. One critical finding involved a lack of authentication on the Redis database, which could be exploited by a malicious actor to compromise the rollup service. Another critical finding revealed that a large transaction with a high gas price could prevent legitimate users from using the rollup service by filling up the batch size limit.

Milkomeda has fixed or acknowledged all major issues identified in the engagement. The fix for the C02 issue involved a major refactoring of the code base. The refactor correctly addressed the issue identified in C02. All the modified behaviors of batcher services as a result of the refactor could not be reviewed in depth within the fix review timeframe.