Every month several important smart contract audits are performed by blockchain security companies like us. It is important to stay up to date with the latest findings in order to learn and improve protection processes. Following we will describe three recent and interesting findings:
Auditor: Coinspect
Project: Grin
Finding
Grin is one of the blockchains that work on iterated proof-of-work consensus model bound by memory bandwidth, unlike bitcoin’s proof of work based on processing power. To be a secure and safe blockchain, Grin hired the services of the Coinspect audit agency.
The agency reviewed the source code of Grin as well as consensus rules, privacy features, and network protocols.
During the review, several vulnerabilities were found. One such severe vulnerability was Remote File System write access and code execution during TxHashset Processing. Remote file system writes access was possible because there was no input validation during the processing of TXHashset archive. As a result, the intruder can access the file system and will be able to execute the code arbitrarily.
In a blockchain, each node synchronizes a copy of the chain data with its peers using a peer-to-peer mechanism. The TxHashset is used to synchronize the node chain data on Grin blockchain. When a node lags behind a certain threshold of blocks, the TxHashset is requested from other peers on the blockchain so that the data can be synchronized directly. The TxHashset is a zip encoded file which contains three kinds of information i.e. the output (after a transaction made), range proofs (the confidential transaction method) and kernel. These zip files were unpacked using a certain code. The bug in the code fails to validate the provided file name and extracts arbitrary files in the directory. This makes it possible for an attacker to provide a malicious Zip file using the directory traversal sequence (a method used by attackers to access restricted directories). Once the access is complete intruder can overwrite the Grin node configuration, cargo binary or system configuration files to achieve code execution.
Remediation
Coinspect proposed that while unpacking the zip folder, the unzipped files must be verified with a predefined whitelist of the files included in TxHashset.
Auditor: Trail of Bits
Project: 0x Protocol
Finding
Although cryptocurrency itself is decentralized in its nature working over a blockchain, however, the exchanges where it is traded are highly centralized. 0X Protocol enables a decentralized exchange over the Ethereum blockchain thus enabling the transactions without submitting the private keys to a centralized exchange. The critical nature of the operation of the 0X Protocol needed a thorough review of its security parameters.
Trail of Bits performed the security audit of 0X Protocol 3.0 which found more than 20 different bugs and vulnerabilities in the code and order operations. One such bug was “CancelOrdersUpTo” command. Usually the traders some times need to cancel the future orders viewing the market parameters. This function is incorporated to cancel an arbitrary number of orders in a single transaction and is irreversible. The function uses a parameter to discard any order with salt (transaction token) less than the input value. This function works fine until the “CancelOrdersUpTo” function is called with a very large value. In this case, all of the future orders will be blocked.
Remediation
Trail of bits recommended that cancellation of future orders should be disallowed.
Auditor: ConsenSys Diligence
Project: 0x Staking
Findings
ZRX tokens are used to power the 0X protocol based on Ethereum blockchain to create a decentralized exchange. ZRX tokens allow trading of Ethereum immediately with lesser cost. As the consensus algorithms is based on proof of stake and the stakeholders get their reward by staking the contracts. 0X v3.0 staking audit report focuses on the fees collected by 0X exchange to ZRX stakeholders. The security, architecture and code quality review of 0X v3.0 was carried out by ConsenSys Diligence.
During trading, the makers place an order on the exchange and wait for the orders to be fulfilled once the price is matched. ConsenSys Diligence found that anyone can delete the pending join status of any maker in the pool. It was revealed that the attacker may not be a member of any pool. This prevents the legitimate trader to place his orders in the decentralized exchange pool.
Remediation
ConsenSys Diligence recommended the use of proper pool IDs for every member.
