Executive Summary of External Audits and HackNet

In preparation for mainnet launch, Chromia commissioned four external audits from Cure53, Trail of Bits, and Quantstamp. These audits encompassed the components that will make up the initial version of Chromia’s mainnet core software.

All immediately addressable findings and recommendations from the audits have been incorporated. The Trail of Bits audit also made recommendations regarding more long-term concerns such as test coverage and documentation, which will be addressed post-mainnet.

Our team holds security and transparency as top priorities. When commissioning thorough reviews from reputable firms, it is expected that audits will find areas for improvement, oversights, and other gaps. We have worked diligently to address these findings and we are pleased to report that the audits did not present any major blockers to the delivery of mainnet. 

The remainder of the article summarizes the findings of the audits as well as reports generated from our HackNet initiative. Each section includes links to the full audits for reference.

Cure53 Postchain EIF Audit (2023)

Overview: Cure53 conducted a penetration test and code audit of ChromaWay's Postchain EIF project in response to ChromaWay AB's request in May 2023. The assessment spanned CW22 and CW23, comprising 15 workdays.

Methodology: Cure53 utilized a white-box approach, accessing sources and detailed documentation, including test-user credentials. A team of three senior testers executed phases from preparation to finalization, focusing on smart contracts, Kotlin, and Rell codebases.

Findings: The assessment identified eight findings:

1. Unchecked transfer method return values: Identified in TokenBridge.sol, where a lack of return value validation could enable free token transfers.
2. Potential fund loss via forged transactions: Postchain's failure to verify FT3 account ownership could enable fund diversion.
3. Use of outdated libraries as dependencies: Dependencies on older OpenZeppelin contracts lacked security updates.
4. Absent ACL may incur loss of funds: Lack of access control in TokenBridge and NFTBridge.sol functions could lead to fund losses.
5. Disclosure of sensitive information in source code: Hardcoded private keys in the postchain-eif-ui project posed security risks.
6. Absent logging functionality: Lack of logging capabilities in Bridge's smart contracts hindered monitoring of suspicious activities.
7. Bridge functionality unpausable: Inability to pause bridge functionality after 90 days exposed vulnerabilities.
8. Double withdrawal possible in mass-exit scenario: Potential for double withdrawals during mass-exit scenarios due to snapshot timing.

Recommendations: Cure53 recommended several mitigation strategies, including:

• Implementing return value checks and SafeERC20 interface for token operations.
• Verifying account ownership in Postchain transactions.
• Updating dependencies to mitigate known vulnerabilities.
• Improving access controls and avoiding sensitive information exposure.
• Implementing robust logging and pausable functionality in smart contracts.

Conclusion: Despite finding some areas for improvement, Cure53 commended ChromaWay for robust security measures in the Postchain EIF project, highlighting a solid foundation for future enhancements.

This summary encapsulates the key aspects and findings from Cure53's penetration test and code audit of ChromaWay's Postchain EIF project, emphasizing both strengths and areas for improvement in security practices.

View the full audit here.

Trail of Bits Security Assessment Audit (2024)

Overview: Trail of Bits conducted a comprehensive security assessment of ChromaWay's blockchain components from April 29 to June 7, 2024. The assessment focused on the EBFT consensus system, networking stack, and Directory Chain implementation. It involved three consultants and totaled 13 engineer-weeks of effort.

Key Components and Findings:

EBFT Component:

• Weak Subjectivity Attack: Nodes vulnerable to syncing with incorrect chains due to weak subjectivity.
• Liveness Violation: Nodes might commit blocks under asynchronous conditions that could later be orphaned.
• Consensus Revolt Issues: Issues affecting correct revolting of honest nodes, impacting consensus.
• Node Miscount: Validators miscounted during state transitions.
• Fetch Block Condition: Incorrect condition causing unnecessary resource consumption.

Networking Component:

• Slowloris DoS Attack: Vulnerable to partial data DoS attacks (Slowloris) that consume resources.

Directory Chain:

• Conversion Issues: Incorrect CHR to USD conversion leading to potential under-staking.
• Action Points Miscalculation: Transfer function allows negative values, resulting in incorrect calculation of action points.
• Proposal System Issues: Issues in proposal handling, including voter set hijacking and incorrect stake requirements.
• Incorrect Staking Defaults: Default staking value set too low, allowing under-staking.

Recommendations:

1. Remediate Findings: Address identified vulnerabilities through direct remediation or refactoring.
2. Improve Test Coverage: Enhance branch coverage for EBFT and add coverage measurement for Rell.
3. Enhance Messaging System: Transition to a gossip-based messaging system to enhance security against balancing attacks.
4. Document Risks: Clearly document centralization risks and system limitations.
5. Develop Logging and Testing Systems: Implement standardized logging and introduce fuzz testing for Rell.

Conclusion: The evaluation highlighted opportunities for enhancing node syncing accuracy, improving block commitment under asynchronous conditions, and refining consensus management. Recommendations include addressing identified vulnerabilities, expanding test coverage, adopting a more secure messaging system, and documenting risks to bolster transparency and system resilience. This assessment underscores ChromaWay's commitment to proactive security measures and readiness for future blockchain challenges.

View the full audit below.

Quantstamp Bridge Audit (2024)

Overview: This audit report, conducted by Quantstamp for the Chromia Token Bridge, spans from January 15, 2024, to January 23, 2024.

Methods Used: Quantstamp employed Architecture Review, Unit Testing, Functional Testing, Computer-Aided Verification, and Manual Review methodologies.

Summary:

• Key Features: The Token Bridge facilitates token transfers between EVM-compatible chains and Chromia using Lock & Mint and Burn & Release models. It includes mechanisms like token deposit event monitoring and Merkle Proof submissions.
• Security Assessment: Identified issues included challenges with token withdrawals (CHRM-1), potential for duplicate withdrawals during mass exits (CHRM-3), and vulnerabilities in validator management (CHRM-2, CHRM-4, CHRM-5).
• Communication and Collaboration: The Chromia team provided responsive support throughout the audit process.

Findings:

• The audit identified 24 findings across various aspects of the Token Bridge's functionality and security.
• Issues ranged from challenges with token withdrawals and potential for double withdrawals during mass exits to vulnerabilities in validator management.

Update: The Chromia team has addressed or acknowledged all identified findings during the audit.

Conclusion: The Chromia Token Bridge audit highlights both its strengths in facilitating cross-chain token transfers and areas where improvements were made to enhance security and functionality.

View full audit here.

Quantstamp FT4 Protocol Audit (2024)

Overview: This audit report by Quantstamp, focused on the FT4 library within the Chromia ecosystem from April 19, 2024, to June 6, 2024. The audit covered both Rell backend and Typescript client implementations.

Methods Used: Quantstamp utilized Architecture Review, Unit Testing, Functional Testing, Computer-Aided Verification, and Manual Review methodologies.

Summary:

• Key Features: FT4 implements account management, authorization, asset management, and supports cross-chain transfers within the Chromia ecosystem.
• Security Assessment: Identified issues included potential flaws in auth descriptor configurations and message handling.
• Communication and Collaboration: The Chromia team provided supportive engagement throughout the audit process.

Findings:

• The audit identified 10 findings, encompassing issues in auth descriptor configurations, message uniqueness, rate limit management, and input validation.
• Recommendations were made to enhance validation processes and ensure adherence to best practices in message handling and descriptor configurations.

Update: All findings have been addressed or acknowledged by the Chromia team during the fix-review process.

Conclusion: The FT4 library audit highlights its foundational strengths in supporting Chromia's decentralized applications while underscoring areas for refinement to bolster security and reliability in blockchain operations.

View full audit here.

HackNet Summary

Overview: As part of the Incentivized Testing Program, a sandbox instance of Chromia’s mainnet release candidate was deployed, and coders and technically minded users were invited to detect edge cases and fill out reports.

Summary of Reports: The HackNet program elicited 10 reports from 8 distinct users. Of these, 3 reports were security focused while the other 7 were suggestions for improved UI and UX. The three security focused reports related to:

• Data parsing errors
• Table manipulation using SQL injection
• Inadequate error handling details

Summary of Rewards: The 3 security focused reports will be rewarded with 3k CHR each, while the 7 UI/UX suggestions will be rewarded with 1k CHR each. Reward payments will be made to the addresses provided in the reports and should be processed within a week of this article’s publication. This results in a total of 16k CHR being distributed. The remaining 84k in the reward pool will be used for future initiatives.

Future Considerations: The ITP task force identified the following potential adjustments for future HackNet-like programs.

• Increase the potential rewards.
• Narrow the focus of the testing initiative.
• Build a participant pool prior to running the initiative.
• Create an open-ended reporting system with no end date.

About Chromia

Chromia is a Layer-1 relational blockchain platform that uses a modular framework to empower users and developers with dedicated dapp chains, customizable fee structures, and enhanced digital assets. By fundamentally changing how information is structured on the blockchain, Chromia provides natively queryable data indexed in real-time, challenging the status quo to deliver innovations that will streamline the end-user experience and facilitate new Web3 business models.

Website | Twitter | Telegram | Facebook | Instagram | Youtube | Discord