Upgrade to Public Blockchain Security Audit Guide
As blockchain technology becomes more widespread, more users are conducting transactions on Layer1. This has led to noticeable issues such as slower transaction speeds and higher transaction fees on Layer1. In response, Layer2 has emerged as a solution to enhance the scalability and performance of blockchain platforms without compromising the security and decentralization characteristics of Layer1.
Over the years, the Veritas Protocol security team has accumulated extensive experience in mainnet security audits and advanced vulnerability detection techniques. We have openly shared our mainnet security audit methods with the industry, aiming to collaboratively build a safer blockchain ecosystem.
Security is an ongoing process, and audit methodologies must evolve to meet the industry's needs. Our security team continuously monitors industry trends, identifies prevalent security issues within the blockchain ecosystem, and understands user security requirements. This knowledge forms the basis for developing and optimizing security audit schemes. Recently, the Veritas Protocol security team has updated the public blockchain security audit guide to reflect current developments in Layer1 and Layer2. The specific details of the updated security audit scheme are as follows:
Scheme 1: Mainnet & layer2 project security audits
In the Mainnet & Layer2 project security audit, the Veritas Protocol security team employs a "black box + gray box" strategy to conduct rapid security testing in a manner that closely simulates real attacks. The vulnerabilities we check include:
Insufficient entropy of private key random numbers
Precision loss in private key seed conversion
Theoretical reliability assessment of symmetric encryption algorithms
Supply chain security of symmetric crypto algorithm reference libraries
Keystore encryption strength detection
Hash algorithm length extension attack
Theoretical reliability assessment of hash algorithms
Theoretical reliability assessment of signature algorithms
secp256k1 k-value randomness security
secp256k1 r-value reuse private key extraction attack
ECC signature malleability attack
ed25519 private key extraction attack
Schnorr private key extraction attack
ECC twist attack
Merkle-tree Malleability attack (CVE-2012β2459)
Native characteristic false recharge
Contract call-based false recharge
Native chain transaction replay attack
Cross-chain transaction replay attack
Transaction lock attack
Transaction fees not dynamically adjusted
RPC remote key theft attack
RPC port identifiability
RPC open cross-domain vulnerability to local phishing attacks
JsonRPC malformed packet denial-of-service attack
RPC database injection
RPC communication encryption
Excessive administrator privileges
Non-privacy/Non-dark Coin Audit
Insufficient number of core nodes
Excessive concentration of core node physical locations
P2P node maximum connection limit
P2P node independent IP connection limit
P2P inbound/outbound connection limit
P2P shapeshift attack
P2P communication encryption
P2P port identifiability
Consensus algorithm potential risk assessment
Block time offset attack
Miner grinding attack
PoS/BFT double-signing penalty
Scheme 2: Code-based Testing Audit
The source code security audit adopts a "white box" strategy, conducting the most comprehensive security testing on the project's relevant source code. White box auditing typically combines automated static code analysis with manual analysis.
Static Source Code Analysis
The Veritas Protocol team utilizes open-source or commercial code scanning tools for static code analysis and manually examines the identified issues. We support all popular languages, including C/C++/Golang/Rust/Java/Nodejs/C#.
The static coding issues checked by the Veritas Protocol team include:
Unused Variables or Imports
Code Formatting Issues
Improper Resource Closure
Magic Numbers
Potential Security Vulnerabilities
Integer Overflow
Floating-Point Precision Issues
Deadlocks
Race Conditions
Memory Leaks
Infinite Recursion
String Formatting Vulnerabilities
Divide-by-Zero Errors
Null Pointer Dereferencing
Buffer Overflow
Type Conversion Errors
Hard-Coded Keys or Sensitive Information
High Code Complexity
Code Duplication
Inconsistent Naming
Insufficient or Outdated Comments
High Coupling
Low Cohesion
Improper Exception Handling
Hard-Coding
Inconsistent Code Formatting
Performance Issues
Poor Testability
Violation of Design Principles
Poor Readability
Insecure Random Number Generation
Time and State Issues
Path Traversal
Outdated Dependencies
Manual Code Review
The Veritas Protocol team performs a line-by-line code review to identify coding flaws and logical errors. The vulnerabilities we focus on mainly include:
Cryptographic signature security
Account and transaction security
RPC security
P2P security
Consensus security
Business logic security
Scheme 3: Application Chain Security Audit
The Veritas Protocol team adopts the strategy of "White-box" to conduct a complete security test on the project, looking for common coding pitfalls as follows:
Replay Vulnerability
Reordering Vulnerability
Race Conditions Vulnerability
Authority Control Vulnerability
Block data Dependence Vulnerability
Explicit Visibility of Functions
Arithmetic Accuracy Deviation Vulnerability
Malicious Event Log
Asynchronous Call Security
Currently we support:
Cosmos-SDK Framework Based Blockchain Audit
Substrate Framework Based Blockchain Audit
Last updated