← Back to Audits

Bridge - RuneMine

Prepared by:

Halborn Logo

HALBORN

Last Updated 06/28/2024

Date of Engagement: May 15th, 2024 - May 22nd, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

4

Critical

0

High

0

Medium

3

Low

0

Informational

1

Table of Contents

1. Introduction

RuneMine engaged Halborn to conduct a security assessment on their Bridge Node. The security assessment was scoped to the bridge node service. Halborn was provided access to the application, and its respective source code to conduct security testing using tools to scan, detect, and validate possible vulnerabilities found in the application and report the findings at the end of the engagement.

2. Assessment Summary

The team at Halborn was provided a timeline for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile, recon, discovery & infrastructure penetration testing.

During the assessment, multiple security risk were identified where the findings highlight several areas of concern including susceptibility to denial-of-service (DoS) attacks due to inadequate rate limiting, use of hardcoded values and secrets, outdated cryptographic standards, and insufficient data validation mechanisms.

The test revealed that the system's defenses against DoS attacks are insufficient, primarily due to a lack of effective rate limiting, and could be a potential DoS and resource management. Hardcoded values in the system's transaction processing logic could decrease flexibility and adaptability, posing a significant risk. Additionally, the presence of hardcoded secrets within the system’s source code is a major security liability, potentially exposing sensitive data.

The system also supports outdated cryptographic standards, which may compromise data security and integrity. Moreover, the data validation mechanisms employed by the system are inadequate, raising concerns about potential data integrity issues and the risk of data manipulation.

To mitigate these vulnerabilities, it is recommended to implement comprehensive rate limiting, transition to secure, centralized secret management systems, update cryptographic standards, and strengthen data validation processes. These enhancements are crucial for improving the system’s resilience and security posture against external threats and operational risks.

In summary, the RuneMine team successfully addressed the identified issues by implementing appropriate checks and security measures.

3. Test Approach and Methodology

Halborn followed Whitebox and Blackbox methodology as per the scope and performed a combination of manual and automated security testing with both to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it.

The assessment methodology covered a range of phases and employed various tools, including but not limited to the following:

    • Mapping Content and Functionality of API

    • Application Logic Flaw

    • Access Handling

    • Authentication/Authorization Flaw

    • Rate Limitations Test

    • Brute Force Attempt

    • Input Handling

    • Response Manipulation

    • Source Code Review

    • Fuzzing of all input parameter

    • Multiple Type of Injection (SQL/JSON/HTML/Command)

4. Scope

Repository URL: https://github.com/runemine/bridge/

Commit ID: ad72b375e339060ae086be23751ebe81c397b031


5. RISK METHODOLOGY

Halborn assesses the severity of findings using either the Common Vulnerability Scoring System (CVSS) framework or the Impact/Likelihood Risk scale, depending on the engagement. CVSS is an industry standard framework for communicating characteristics and severity of vulnerabilities in software. Details can be found in the CVSS Specification Document published by F.I.R.S.T.
Vulnerabilities or issues observed by Halborn scored on the Impact/Likelihood Risk scale are measured by the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

6. SCOPE

URL
(a) URL:
Out-of-Scope: contract/*
Remediation Commit ID:
  • 7852ae0
Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

0

High

0

Medium

3

Low

0

Informational

1

Security analysisRisk levelRemediation Date
HARDCODED VALUES IN TRANSACTION PROCESSINGMediumSolved - 06/27/2024
HARCODED SECRETS IN REPOSITORYMediumSolved - 06/27/2024
USAGE OF DOTENV TO STORE SECRETSMediumSolved - 06/27/2024
INSUFFICIENT VALIDATION AND POTENTIAL INTEGER OVERFLOWInformationalSolved - 06/27/2024

8. Findings & Tech Details

8.1 HARDCODED VALUES IN TRANSACTION PROCESSING

//

Medium

Description

The Bitcoin transaction adapter code contains hardcoded values for transferAmount and transferFee within its transaction processing logic. These values are used to calculate transaction outputs and fees, which are critical for the correct execution of financial transactions over the Bitcoin network. The hardcoded transferAmount may not appropriately reflect the transaction's required value, leading to overpayments or underpayments, as reported the risk in another issue below. Similarly, a hardcoded transferFee might not align with the network's required fee, potentially causing transactions to be delayed or rejected.

Proof of Concept
func (a *adapter) Bridge(ctx context.Context, request types.BridgeTransferRequest) error {
	const transferAmount = 564 // TODO: Calculate
	chainConfig := &chaincfg.TestNet3Params

func appendChangeTxOut(inputSatoshis int64, transferAmount int64, a *adapter, request types.BridgeTransferRequest, chainConfig *chaincfg.Params, tx *wire.MsgTx) error {
	const transferFee = 10_000 // TODO: Calculate
	changeSatoshis := inputSatoshis - transferAmount - transferAmount - transferFee
Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N(5.3)
Recommendation

Implement a mechanism to dynamically calculate transferAmount and transferFee based on real-time data and network conditions. This could involve querying network statistics or using algorithms designed to estimate fees based on recent block data.

Remediation Plan

SOLVED: The RuneMine team solved the issue by implementing the dynamic fee checks.

Remediation Hash
7852ae0bd91fa0cb695394283f0a9a860b5eba16

8.2 HARCODED SECRETS IN REPOSITORY

//

Medium

Description

Sharing code publicly or privately could lead to inadvertently leaving secrets in the code, making them accessible to others. Repositories are frequently cloned and forked into new projects, giving new developers access to their complete history. Any secrets within the repository's history would exist in all new repositories, and if stored in plain text, could lead to potential misuse of the secrets. In the case of a breach or unauthorized access to the source code, it could lead to further exploitation of infrastructure.

During the security assessment, it was identified that the application contained hardcoded (Private Keys, Mnemonics) into the test scripts and repository. While these test scripts may not be part of the production code, hardcoding secrets in any part of the codebase exposes them to anyone who has access to the repository also gives the attacker access to all previous history of commits. This practice can lead to unauthorized access to databases and services, resulting in potential data breaches and significant security risks, especially if the test scripts are mistakenly deployed or accessed by unauthorized personnel.

Proof of Concept
Secrets remains part of git history
Score
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N(5.0)
Recommendation

To address the identified risks, the following measures would be appropriate:

  • Extracted hardcoded secrets from the source code and the repository's commit history.

  • Changed and invalidated exposed secrets, replacing them with new, secure credentials.

  • Employed environment variables, secret management solutions, or encryption for secure secret storage and management.

  • Established access controls to ensure that repositories remained private and only accessible to authorized personnel.

Remediation Plan

SOLVED: The RuneMine team solved the issue by removing the identified secrets, and further confirmed that the identified secrets were used in a test environment.

8.3 USAGE OF DOTENV TO STORE SECRETS

//

Medium

Description

During the assessment, a risk has been identified to the security of the bridge, where in the bridge repository where sensitive information, such as blockchain bridge secrets, are stored in a .env file. While using environment variables is generally a good practice, storing sensitive information in a .env file poses a risk if the file is not properly protected. The .env file can be accidentally committed to version control systems, exposed through improper file permissions, or accessed by unauthorized users. Given the sensitivity of blockchain bridge secrets, it is crucial to ensure they are stored and managed securely.

The presence of sensitive information in a .env file can lead to unauthorized access to blockchain bridge secrets. An attacker who gains access to these secrets can manipulate transactions, access blockchain assets, and potentially compromise the entire bridge network. This can result in significant financial loss, data breaches, and operational disruption.

Proof of Concept

func main() {
	err := godotenv.Load()
	if err != nil {
		log.Info("Error loading .env file")
	}
Score
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N(5.0)
Recommendation

It is recommended to use GitHub Secrets to securely store and manage sensitive information. GitHub Secrets allows you to store and manage secrets at the repository level, ensuring they are encrypted and only accessible by authorized workflows.

Remediation Plan

SOLVED: The RuneMine team solved the issue by removing the dotenv dependency.

Remediation Hash
7852ae0bd91fa0cb695394283f0a9a860b5eba16
References
Invalid GitHub URL

8.4 INSUFFICIENT VALIDATION AND POTENTIAL INTEGER OVERFLOW

//

Informational

Description

The appendChangeTxOut function in the Bitcoin transaction handling system is responsible for calculating the change in satoshis after a transaction and appending outputs to a transaction. The function lacks proper validation checks for the calculated changeSatoshis, and does not consider the possibility of integer underflow, which can occur when the inputSatoshis is insufficient to cover the transferAmount and transferFee.

Proof of Concept
func appendChangeTxOut(inputSatoshis int64, transferAmount int64, a *adapter, request types.BridgeTransferRequest, chainConfig *chaincfg.Params, tx *wire.MsgTx) error {
	const transferFee = 10_000 // TODO: Calculate
	changeSatoshis := inputSatoshis - transferAmount - transferAmount - transferFee

The potential for integer underflow can be demonstrated by setting inputSatoshis to a value less than double the transferAmount plus transferFee, which will result in changeSatoshis becoming negative, subsequently interpreted as a large positive value due to integer underflow.

Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N(0.0)
Recommendation

Implement checks to ensure that calculations involving satoshis do not result in underflow or overflow conditions. Further, replace the hardcoded transferFee with a dynamically calculated fee based on current network conditions to ensure transaction reliability and cost-effectiveness.

Remediation Plan

SOLVED: The RuneMine team solved the issue by reimplementing the logic with appropriate checks.

Remediation Hash
7852ae0bd91fa0cb695394283f0a9a860b5eba16

9. Automated Testing

Static Analysis Report

Description

We employed advanced automated security scanners to aid in the detection of well-known security issues and vulnerabilities. Among the tools used were Gosec, SonarQube, Semgrep. These scanners enhance our code maintenance by identifying vulnerabilities that have already been disclosed. They provide detailed outputs, including dependency trees, which are crucial for developers to understand the affected dependencies and effectively address security vulnerabilities in the codebase. All referenced vulnerabilities were previously disclosed in public databases associated with each respective tool.



go-sec.jpg

  • Gosec: No issues found.

    semgrep-login.jpg

  • Semgrep: No issues found.

    sonarqube.jpeg

  • SonarQube: No issues found.



Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2025. All rights reserved.