Comprehensive Upgrade to Public Blockchain Security Audit Guide

SlowMist
6 min readJul 12, 2024

--

As blockchain technology becomes more widespread, more users are conducting transactions on Layer1. This has led to noticeable issues such as slower transaction speeds and higher transaction fees on Layer1. In response, Layer2 has emerged as a solution to enhance the scalability and performance of blockchain platforms without compromising the security and decentralization characteristics of Layer1. According to L2BEAT, the total value locked in the Layer2 ecosystem now reaches $39.5 billion, encompassing a variety of unique technologies and frameworks.

https://l2beat.com/scaling/summary

Over the years, the SlowMist security team has accumulated extensive experience in mainnet security audits and advanced vulnerability detection techniques. We have openly shared our mainnet security audit methods with the industry, aiming to collaboratively build a safer blockchain ecosystem.

Security is an ongoing process, and audit methodologies must evolve to meet the industry’s needs. Our security team continuously monitors industry trends, identifies prevalent security issues within the blockchain ecosystem, and understands user security requirements. This knowledge forms the basis for developing and optimizing security audit schemes. Recently, the SlowMist security team has updated the public blockchain security audit guide to reflect current developments in Layer1 and Layer2. The specific details of the updated security audit scheme are as follows:

Scheme 1: Mainnet & layer2 project security audits

In the Mainnet & Layer2 project security audit, the SlowMist security team employs a “black box + gray box” strategy to conduct rapid security testing in a manner that closely simulates real attacks. The vulnerabilities we check include:

The vulnerabilities checked by the SlowMist team include:

  • Insufficient entropy of private key random numbers
  • Precision loss in private key seed conversion
  • Theoretical reliability assessment of symmetric encryption algorithms
  • Supply chain security of symmetric crypto algorithm reference libraries
  • Keystore encryption strength detection
  • Hash algorithm length extension attack
  • Theoretical reliability assessment of hash algorithms
  • Theoretical reliability assessment of signature algorithms
  • secp256k1 k-value randomness security
  • secp256k1 r-value reuse private key extraction attack
  • ECC signature malleability attack
  • ed25519 private key extraction attack
  • Schnorr private key extraction attack
  • ECC twist attack
  • Merkle-tree Malleability attack (CVE-2012–2459)
  • Native characteristic false recharge
  • Contract call-based false recharge
  • Native chain transaction replay attack
  • Cross-chain transaction replay attack
  • Transaction lock attack
  • Transaction fees not dynamically adjusted
  • RPC remote key theft attack
  • RPC port identifiability
  • RPC open cross-domain vulnerability to local phishing attacks
  • JsonRPC malformed packet denial-of-service attack
  • RPC database injection
  • RPC communication encryption
  • Excessive administrator privileges
  • Non-privacy/Non-dark Coin Audit
  • Insufficient number of core nodes
  • Excessive concentration of core node physical locations
  • P2P node maximum connection limit
  • P2P node independent IP connection limit
  • P2P inbound/outbound connection limit
  • P2P shapeshift attack
  • P2P communication encryption
  • P2P port identifiability
  • Consensus algorithm potential risk assessment
  • Block time offset attack
  • Miner grinding attack
  • PoS/BFT double-signing penalty

Scheme 2: Code-based Testing Audit

The source code security audit adopts a “white box” strategy, conducting the most comprehensive security testing on the project’s relevant source code. White box auditing typically combines automated static code analysis with manual analysis.

Static Source Code Analysis

The SlowMist team utilizes open-source or commercial code scanning tools for static code analysis and manually examines the identified issues. We support all popular languages, including C/C++/Golang/Rust/Java/Nodejs/C#.

The static coding issues checked by the SlowMist team include:

  • Unused Variables or Imports: Declared but unused variables or imported modules.
  • Code Formatting Issues: Inconsistent indentation, excessive line length, etc.
  • Improper Resource Closure: Unclosed resources such as files or database connections.
  • Magic Numbers: Direct use of numeric constants instead of named constants.
  • Potential Security Vulnerabilities: Issues like SQL injection, XSS, etc.
  • Integer Overflow: Unexpected behavior due to calculations exceeding the range of integer types.
  • Floating-Point Precision Issues: Calculation errors due to the limitations of floating-point representation.
  • Deadlocks: Threads waiting on each other to release resources, causing a stalemate.
  • Race Conditions: Program behavior depending on the uncontrolled order of execution in multi-threaded or concurrent environments.
  • Memory Leaks: Dynamically allocated memory not properly released, leading to increasing memory usage.
  • Infinite Recursion: Recursive functions lacking proper termination conditions, causing stack overflow.
  • String Formatting Vulnerabilities: Insecure string formatting leading to potential security issues.
  • Divide-by-Zero Errors: Failure to check for zero in divisor during division operations.
  • Null Pointer Dereferencing: Attempting to access memory at the location pointed to by a null pointer.
  • Buffer Overflow: Writing data exceeding the buffer’s capacity, potentially leading to security vulnerabilities.
  • Type Conversion Errors: Improper type conversions causing data loss or incorrect results.
  • Hard-Coded Keys or Sensitive Information: Directly embedding keys or sensitive information in code, posing security risks.
  • High Code Complexity: Long functions or methods, excessive logical branches.
  • Code Duplication: Identical or similar code blocks appearing in multiple locations.
  • Inconsistent Naming: Unclear or inconsistent naming of variables, functions, classes, etc.
  • Insufficient or Outdated Comments: Lack of necessary comments or comments that do not match the code.
  • High Coupling: Complex interdependencies between modules, making maintenance and expansion difficult.
  • Low Cohesion: Modules or classes with functions that are not closely related, with unclear responsibilities.
  • Improper Exception Handling: Catching overly broad exceptions or ignoring exceptions.
  • Hard-Coding: Using constant values directly in the code instead of configuration parameters.
  • Inconsistent Code Formatting: Non-uniform use of indentation, spaces, etc.
  • Performance Issues: Unnecessary loops, frequent object creation, etc.
  • Poor Testability: Code that is difficult to unit test or integrate test.
  • Violation of Design Principles: Violations of principles like the Single Responsibility Principle, Open/Closed Principle, etc.
  • Poor Readability: Confusing code structure, making it difficult to understand.
  • Insecure Random Number Generation: Using random number generation methods unsuitable for secure purposes.
  • Time and State Issues: Vulnerabilities like TOCTOU (Time-of-Check to Time-of-Use).
  • Path Traversal: Failing to properly validate file paths, potentially accessing unauthorized files.
  • Outdated Dependencies: Use of libraries that are no longer maintained or have known security vulnerabilities.

Manual Code Review

The SlowMist team performs a line-by-line code review to identify coding flaws and logical errors. The vulnerabilities we focus on mainly include:

  • Cryptographic signature security
  • Account and transaction security
  • RPC security
  • P2P security
  • Consensus security
  • Business logic security

Scheme 3: Application Chain Security Audit

The SlowMist team adopts the strategy of “White-box” to conduct a complete security test on the project, looking for common coding pitfalls as follows:

  • Replay Vulnerability
  • Reordering Vulnerability
  • Race Conditions Vulnerability
  • Authority Control Vulnerability
  • Block data Dependence Vulnerability
  • Explicit Visibility of Functions
  • Arithmetic Accuracy Deviation Vulnerability
  • Malicious Event Log
  • Asynchronous Call Security

Currently we support:

  1. Cosmos-SDK Framework Based Blockchain Audit
  2. Substrate Framework Based Blockchain Audit

Conclusion

Over the past few years, nearly hundred renowned public blockchain projects have undergone various types of security audits by SlowMist, including Prysm, TON, Mantle, Vision Network, Metis, Acala, Eden, etc. SlowMist has also audited several well-known Layer2 projects, such as Morph, Bitlayer, Merlin Chain, and RSS3 Network. We welcome projects in need of audits to contact the SlowMist security team at team@slowmist.com for consultation and partnership.

The complete guide is open-sourced on GitHub.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.