As blockchain becomes more popular, more and more users are trading on Layer1, and the problems of slower Layer1 transactions and higher transaction fees are becoming more prominent. In this case, Layer2 is considered to be a solution to enhance the scalability and performance of blockchain platforms without affecting the security and decentralization of Layer1. According to L2BEAT statistics, the total locked value of the Layer2 ecosystem is now $39.5 billion, including a variety of technologies and frameworks with unique characteristics.
(https://l2beat.com/scaling/summary)
After years of practical experience and security research, the SlowMist security team has accumulated a wealth of experience in public chain mainnet security audits and profound vulnerability mining technology, and has made our mainnet security audit methods public to the entire industry, hoping to jointly create a more secure blockchain ecosystem.
There is no end to security, and audit plans also need to keep pace with the times and continuously meet the needs of the industry. The SlowMist security team continues to pay attention to the development trends of the industry, understand what are the prominent security issues in the current blockchain ecosystem, what are the security needs of users, and use this as a basis to formulate and optimize security audit plans. Recently, the SlowMist security team has combined the current development of public chains and Layer2 to upgrade the public chain security audit guidelines in a timely manner. The specific security audit plan content is as follows:
Solution 1 Mainnet& Layer2 Project Security Audit
In the security audit of the mainnet and Layer2 projects, the SlowMist security team adopted a "black box + gray box" strategy to conduct rapid security tests on the projects in a way that is closest to real attacks. The vulnerabilities we checked include:
Insufficient entropy of private key random number
Private key seed conversion precision loss
Theoretical reliability evaluation of symmetric encryption algorithms
Supply Chain Security of Symmetric Cryptography Algorithm Dependency Libraries
Keystore encryption strength test
Hash length extension attack
Theoretical reliability evaluation of hash algorithms
Theoretical reliability evaluation of signature algorithms
secp256k1 k value randomness security
secp256k1 r value reuse private key extraction attack
Plasticity Attacks on ECC Signatures
ed25519 private key extraction attack
Schnorr private key extraction attack
ECC curve attack
Merkle Tree Plasticity Attack (CVE-2012-2459)
Native feature fake recharge
Fake recharge based on contract call
Protogenesis link transaction replay attack
Cross-chain transaction replay attack
Transaction Lock Attack
Transaction fees are not adjusted dynamically
RPC Remote Key Theft Attack
RPC port identifiability
RPC open cross-domain vulnerability leads to local phishing attacks
JsonRPC Malformed Packet Denial of Service Attack
RPC Database Injection
RPC communication encryption
Excessive administrator privileges
Non-privacy/non-darkcoin audit
Insufficient number of core nodes
The core nodes are physically too concentrated
P2P node maximum connection limit
P2P node independent IP connection limit
P2P inbound/outbound connection restrictions
P2P deformation attack
P2P communication encryption
P2P port identifiability
Consensus algorithm potential risk assessment
Block time drift attack
Miner Grinding Attack
PoS/BFT Double Signature Penalty
Solution 2: Source code security audit
Source code security audit refers to the use of a "white box" strategy to conduct the most comprehensive security testing on the project's relevant source code. White box audits usually require a combination of automated static code analysis and manual analysis.
Static source code analysis
The SlowMist security team uses open source or commercial code scanning tools to perform static scanning on the code and manually analyze the problems found. We support all popular languages, such as C/C++/Golang/Rust/Java/Nodejs/C#. The static coding issues we check include:
Unused variables or imports – variables or imported modules that are declared but not used
Code formatting issues – inconsistent indentation, long lines, etc.
Resources are not closed properly – such as files, database connections, etc.
Magic Numbers – Use numeric constants directly instead of named constants
Potential security vulnerabilities – such as SQL injection, XSS and other security risks
Integer overflow – when the result of a calculation exceeds the range of the integer type, which may cause unexpected behavior
Floating point precision issues – Due to the limitations of floating point representation, calculation errors may occur
Deadlock – In multithreaded programming, threads become stuck while waiting for each other to release resources.
Race Condition – A situation where the behavior of a program in a multithreaded or concurrent environment depends on an uncontrollable order of execution.
Memory leaks – dynamically allocated memory is not released correctly, causing the memory used by the program to continue to increase
Infinite recursion – The recursive function does not have a proper termination condition, causing the stack to overflow
String Formatting Vulnerabilities – Insecure string formatting can lead to security issues
Division by Zero Error – Failure to check if the divisor is zero in a division operation
NULL pointer dereference – Attempting to access a memory location pointed to by a NULL pointer
Buffer overflow – Writing more data into a buffer than it can hold, potentially leading to a security breach
Type conversion errors – Improper type conversions may result in data loss or incorrect results
Hard-coding keys or sensitive information – Writing keys or sensitive information directly into the code can lead to security risks
Code complexity is too high – functions or methods are too long and have too many logical branches
Code duplication – The same or similar code snippets appear in multiple places
Irregular naming – Unclear or inconsistent naming of variables, functions, classes, etc.
Inadequate or outdated comments – Necessary comments are missing or the comments do not match the code
High coupling – The dependencies between modules are complex and difficult to maintain and expand
Low cohesion – The functionality of a module or class is not focused enough and the responsibilities are not clear.
Improper exception handling – catching overly broad exceptions, or ignoring exceptions
Hard-coded – Use constant values directly in your code instead of configuration parameters
Inconsistent code formatting – Inconsistent indentation, use of spaces, etc.
Performance issues – such as unnecessary loops, frequent object creation, etc.
Poor testability – code that is difficult to unit test or integration test
Violation of design principles – such as single responsibility principle, open-closed principle, etc.
Poor readability – The code is confusing and difficult to understand
Insecure random number generation – using random number generation methods that are not suitable for security purposes
Time and state issues – such as TOCTOU (Time-of-check to time-of-use) vulnerabilities
Path traversal – Failure to properly validate file paths could result in accessing unauthorized files
Outdated dependency libraries – The imported libraries have lost maintenance or have security vulnerabilities
Manual code review
The SlowMist security team checks the code line by line to find coding defects and logical errors. The vulnerabilities we focus on mainly include:
Encrypted signature security
Account and transaction security
RPC Security
P2P Security
Consensus Security
Business logic security
Solution 3: Application Chain Security Audit
The SlowMist security team uses a "white box" strategy to conduct comprehensive security testing on the project, looking for common coding traps, such as:
Replay vulnerability
Reordering Vulnerability
Race Condition Vulnerabilities
Permission Control Vulnerabilities
Block data dependency vulnerability
Explicit visibility of functions
Arithmetic Precision Bias Vulnerability
Malicious Event Log
Asynchronous call safety
Currently we support:
Blockchain audit based on Cosmos-SDK framework
Blockchain audit based on Substrate framework
Conclusion
In the past few years, nearly 100 well-known public chain projects have passed SlowMist's various types of public chain security audits, such as Prysm, TON, Mantle, Vision Network, Metis, Acala, Eden, etc. SlowMist has also audited several well-known Layer2 projects, such as Morph, Bitlayer, Merlin Chain, RSS3 Network, etc. Project parties with audit needs are welcome to contact the SlowMist security team at team@slowmist.com for consultation and cooperation.
The full content has been open sourced on GitHub (https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide). Please click to read the original text and jump to GitHub to read it.
