Parity Tech mandated Quarkslab to audit XCM version 2 (XCMv2), a cross consensus communication mechanism. This messaging protocol is a cornerstone of the Polkadot ecosystem as it enables communications between chains on a network. This blog post summarizes few security aspects related to this technology and its implementation. The full audit report is available in PDF format at the end of this article.Parity Tech is actively working on developments related to the Polkadot ecosystem. Polkadot recently launched the crowdloan process as part of the long-planned objective of creating a network of blockchains interconnected via a relay chain to perform cross-chain exchanges.In this context, Parity is working on XCM (Cross-Consensus Messaging) which provides a common format enabling Substrate-based blockchains to communicate with the relay chain and between each other. This component from the original Polkadot design is essential for Polkadot’s multichain network. It enables both fungible and non-fungible asset transfers and also remote extrinsic calls.Bridges and cross-chain technologies, in general, will play an essential role in the upcoming months or years to interconnect blockchains that are not necessarily working with the same technology or consensus rules. Among these are Hop for EVM blockchains, Interlay to bridge Bitcoin to Polkadot or Axelar Network, which aims at bridging multiple blockchain technologies.XCM follows a similar goal and aims at bridging any kind of consensus in the future. Polkadot’s founder Gavin Wood provides insights of XCM goals as “a language communicating ideas between consensus systems” [1].Quarkslab conducted an audit of XCMv2 before parachains obtained a slot on the Polkadot relay chain and thus before the activation of the support in their blockchain. An additional security audit had already been performed by another security company.The audit aimed at finding any cross-chain-related security issues, like incorrect lock/unlock or burn/mint on both chains, or any fairness issues between chains. This also includes logical bugs, denial-of-service and any misconfiguration (of default settings) that can have a security impact. The audit did not reveal any meaningful security-related issues.This blog post aims at providing a glimpse of the internal working of XCM transactions and more especially the VM-based design for processing messages. It also highlights the key security and sanity checks to be performed before activating XCM on a parachain.The XCM design and the two main use-cases — reserve transfer assets and teleport assets — have thoroughly been described by Gavin Wood in a blog post trilogy [1], [2], [3] and a workshop by Shawn Tabrizi [7]. Moonbeam also provides multiple educational contents about XCM and their usage with XC-20 tokens [4], [5].While user applications of XCM (assets transfers, etc.) have been well described, let us focus on what’s happening under the hood when transferring assets between two chains. The core component is the XCM virtual machine (XCVM). Indeed, messages exchanged are scale-encoded [6] instruction opcodes. A message is essentially a list of instructions that perform various actions like withdrawing assets from an account, depositing them, initiating a transfer, etc.When receiving a new message, a new VM is instantiated for the lifetime of the message execution. Some instructions update registers of the VM. These registers hold the origin (identity performing the action), holding (assets manipulated), and a trader handling weight costs, surplus, and refunded amounts. The VM also contains an instruction pointer addressing the current message instruction to execute. Similarly, it contains registers pointing to error handlers and appendix handlers.Let’s consider a teleport asset transfer from the relay chain to a parachain. In this scenario, the user withdraws funds from its local account and transfers them to the XCVM, which will eventually burn the asset. Then, the chain has to transmit a message to the remote chain to mint and deposit the equivalent amount of assets into the user’s account on the parachain. The complete initial message is the following:The following animation shows the broad steps performed by the XCM pallet teleport_assets call, its processing by the XCM executor and its underlying XCVM, up to the final deposit on the remote account (here Alice).Note that in this scenario, the destination chains have to accept the originating chain as a teleporter, i.e., an origin from which the receiver can trust that the sender rightfully destroyed assets before teleporting them, in its own XCM configuration. Otherwise, the execution of ReceiveTeleportedAsset on the destination chain will reject the message as the origin register will be untrusted. That is one of the reasons why properly configuring XCM is a critical task. Let’s discuss a few aspects of the XCM configuration.Parachain developers do not necessarily need to understand the deep intricacies of the XCM executor, but the pallet configuration leaves many levers of configuration that should be handled with care. Indeed, some configuration aspects are interdependent as highlighted in the report. Here is a quick memo of things to verify before activating XCM or accepting exchanging messages with a chain.In the following list, elements of the XCM pallet and the XCM executor configuration are mixed, in fact, the XCM executor configuration is nested as a configuration element of the XCM pallet. They are marked with the “pallet” or the “executor” (or “both”) annotation.Three filters, XcmExecuteFilter, XcmTeleportFilter and XcmReserveTransferFilter are the first configuration types to look at. These filters are an assertion mechanism respectively for the execute, teleport and reserve_transfer extrinsics (and their limit additions). These types implement the Rust trait (or interface) Contains