SlowMist: Upgrade to Blockchain Security Audits to Create a Safer Environment
Since the first introduction of Bitcoin in 2009, more than 3000 projects have been launched into the blockchain ecosystem. Today, the market capitalization of crypto assets has surpassed $1 trillion US dollars. Naturally, we anticipate that these numbers will continue to climb over time. The growth of blockchain technology continues, reaching rates that have yet to be sustained by effective security measures. As users aim to capitalize on the ever-evolving blockchain technology, they are met with worry with instances of fraud emerging at an alarming rate. According to the SlowMist Hacked Archives, security incidents have resulted in tens of billions of dollars in losses.
On March 29, 2022, the Ronin cross-chain bridge was hacked. It was determined that 173,600 ETH along with 25.5 million USDC were stolen, a value equivalent to around $620 million. The Ronin hack became recognized as the most expensive theft in DeFi history, where the attackers managed to access the private keys of five out of their nine validator nodes. People can’t help but question how such significant security breaches can be avoided and whether security audits can reduce or even avoid such security risks.
As a result of our investigation into the Ronin hacking event, we determined that the main network was attacked due to an exploitation of the vulnerabilities found in the node software source code. SlowMist has attempted to perform security audits on the mainnet of the public chain since its debut. Through years of deterring attacks and conducting research, we’ve managed to amass a vast amount of expertise in combating blockchain threats. With that, we’ve created a security auditing system that’s available to the entire industry in hopes of jointly creating a more secure blockchain ecosystem.
The Development of Blockchain
Early blockchains that followed Bitcoin were dominated by altcoins, such as Dogecoin and Peercoin. These were formed around 2013 with the notion of creating a cryptocurrency to compete with Bitcoin.
Following the outbreak of the Ethereum network in 2017, a number of competing blockchains were born, such as EOS, Solana, and Fantom. They all aimed to provide solutions that better address the challenges that became inherent with the Ethereum network, such as improved smart contract programming platforms, increased scalability, and better performance. However, due to the complexities involved with developing new blockchains along with a lack of developers and users, focus shifted towards more mature Ethereum solution projects such as Polygon, BNB Chain, and Ronin, where developers have made extensive use of Ethereum’s technology stack. The challenges inherent to the Ethereum network ultimately enabled the continued expansion of the blockchain ecosystem.
However, Ethereum’s introduction of its Layer-2 scaling solution has gained its own popularity among blockchain users. It aims to improve transaction performance by outsourcing calculations off-chain through zero-knowledge-proof technology. Projects such as zkSync, Arbitrum, Optimism, and StarkWare can benefit from Ethereum’s Layer-2 scaling solution, just to name a few.
From new altcoin projects and blockchains to Ethereum’s side chains, including its second-tier architecture, it’s clear to say that we’re undergoing a period of change and development at a rapid rate. For those who are involved and have an interest in blockchain technology, how can we effectively scrutinize the security of all of this?
Blockchain Security Audits: What is being audited?
While no system can be completely safe, relatively safe systems can be designed and developed. In reality, if a security system conforms to a given set of security standards, it’s often regarded to have a certain degree of trust. Therefore, a system is built that follows those standards must be assessed, validated, and accredited before being recognized as trustworthy.
There’s no limit when it comes to security. This is especially true for blockchain. Blockchain projects are compiled with hundreds of thousands of lines of code. A full audit would involve individually examining each line of source code. A time-consuming and costly process. In an industry that’s rapidly evolving, this is simply not feasible.
There isn’t a one-size-fits-all solution to this auditing challenges. To help us formulate a security audit plan, it’s essential that we pay attention to the developmental trends of the industry in order to understand what the prominent security problems are and what security needs do users have. Only in this manner can the audit cost be kept within a realistic range while still meeting the security demands of users.
The SlowMist security team has developed a number of public chain security audit schemes based on the current situation:
Method 1: Mainnet Security Audit
First, we identify whether there are known vulnerabilities by conducting targeted audits on multiple aspects of the blockchain: P2P Network, RPC Interaction, Consensus mechanism, encryption algorithm, transaction structure, etc. We employ the ‘black box + gray box’ strategy throughout this and utilize the method closest to the actual attack. We then complete the security testing of the project. All vulnerabilities that we are concerned with regarding the multiple layers that we audit include:
- P2P Layer:
Denial Of Service (DoS) Attack
BGP Hijack Attack
- RPC Layer:
Denial of Service (DoS) Attack
The Ethereum black valentine’s day vulnerability
HTTP Input Attack
Cross-domain Phishing Attack
- Consensus Layer:
Long Range Attack
Alternative History Attack
Coin Age Accumulation Attack
Block double production Attack
Private Key Prediction
Length Extension Attack
Transaction Replay Attack
Transaction malleability attack
Time-locked transaction attack
False top-up attack
Rug pull attack
(For more details on vulnerabilities, please refer to: https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md
For example, An eclipse attack. Due to the P2P communication of the node being completely occupied by malicious code, resulting in a failure to connect to the normal peer node.
Currently, we are able to check the maximum number of connections of the node by reviewing all P2P-related modules in the source code. We can determine risk by assessing certain parameters, such as the maximum number of connections allowed by a single machine. If the number of connections of a single IP isn’t limited, this indicates a malicious host.
This audit method is characterized by controllable measures, where common problems in projects can be found and vulnerabilities avoided. We strongly advise that projects perform comprehensive audits to mainnet security.
Method 2: Exchange Listing Audit
This method follows the same approach as the mainnet security audit. The only difference being is that audit entries focus on account and transaction security. These entries include:
- Private Key Prediction
- Backdoor Attack
- Insecure Encryption Library
- Transaction Malleability Attack
- Transaction Replay Attack
- Fake Recharge Attack
- RPC Theft
This audit scheme is characterized by its low cost and short time. It’s most suitable for blockchains that are based on secondary development of more mature projects, such as Bitcoin-Core, Go-Ethereum, Bitshares, EOSIO, etc.
Method 3: Source Code Security Audit
Source code auditing can be performed on partial or full code modules. The SlowMist team implements the ‘white box’ strategy to test the security of the target code. The most commonly utilized methods are:
1: Static Source Code Analysis (SAST)
The SlowMist Team uses open source or commercial code scanners to check code quality. The scanners support popular languages such as C, C++, Goland, Rust, Java, Nodejs, C#.
2: Manual Code Review
The SlowMist team manually reviews code line for line, looking for any common coding flaws such as:
- State Consistency
- Rollback on Failure
- Numerical Overflow
- Parameter Validation
- Error Handle
- Bounds Check
- Unit Test Coverage
Method 4: Community Customized Audit Plan
Based on the characteristics of certain blockchains, such as Polkadot and Cosmos, we have implemented customized security audit measures.
Take Polkadot for example. The Polkadot ecological project uses Substrate as its developmental framework. Developers can focus on the implementation of their business logic without paying attention to the integration of underlying network components and ledgers. Based on these characteristics, we abandoned the blockchain audit project. With regards to the network layer, consensus layer, cryptography, and other underlying modules, we’ve added more detailed audit entries. Those entries added are as follows:
- Replay Attack
- Rearrangement Attack
- Conditional Race Attack
- Access Control Attack
- Block Data Dependency Attack
- Explicit Visibility of Function State Variables
- Arithmetic Precision Error
- Malicious Event Audit
- State Consistency Audit
- Failed Rollback Audit
- Unit Test Audit
- Numerical Overflowing Audit
- Parameter Verification Audit
- Error Trapping Audit
- Bounds Check Audit
The complete audit scheme has been open-sourced at https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide
In the last several years, nearly 100 well-known blockchain projects have passed different types of blockchain security audits conducted by SlowMist, such as: PlatON, BHD, Acala, Eden, Metis, etc. The SlowMist team more systematically recognizes construction methods of blockchain security systems, enhances main network security and robustness, and improves the user’s overall recognition of projects.
SlowMist recommends that every major project perform a regular security audit on their main network. Not only will it make investors feel more secure, but it can also avoid unnecessary losses.