Halborn Logo
← Back to Audits

1.0.9 Upgrade Release - CoreDAO

Prepared by:

Halborn Logo

HALBORN

Last Updated 08/16/2024

Date of Engagement by: May 6th, 2024 - May 17th, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

7

Critical

0

High

1

Medium

3

Low

1

Informational

2

Table of Contents

1. Introduction

The CoreDAO team engaged Halborn to conduct a security assessment on their 1.0.9 Release of Core Chain, beginning on Halborn to conduct a security assessment on the forwarding module, beginning on 03/18/2024 and ending on 04/26/2024. The security assessment was scoped to the sections of code that pertain to the 1.0.9 Release Updates. Commit hashes and further details can be found in the Scope section of this report.


The scope of this security assessment covers the codebase changes made between commit ID 86293f9a54c5ff33f3c40c41853b3d836931e27a and commit ID 788f951cbf4671eb60f807d58280198c77044c3c in the corresponding branch of the project repository.

2. Assessment Summary

The team at Halborn was provided one week for the engagement and assigned one full-time security engineer to verify the security of the merge requests. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

- Ensure that the chain operates as intended.

- Identify potential security issues with the updates for the chain implementation.

In summary, Halborn identified some security risks that were addressed and accepted by the CoreDAO team.

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the custom modules. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of structures and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the assessment :

- Research into architecture and purpose.

- Static Analysis of security for scoped repository, and imported functions. (e.g., staticcheck, gosec, unconvert, codeql, ineffassign and semgrep)

- Manual Assessment for discovering security vulnerabilities on codebase.

- Ensuring the correctness of the codebase.

- Dynamic Analysis of files and modules related to the updates.

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.
The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.
The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.
The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.
The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):
Captures whether the attack requires compromising a specific account.
Attack Cost (AC):
Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.
Attack Complexity (AX):
Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.
Metrics:
EXPLOITABILIY METRIC (mem_e)METRIC VALUENUMERICAL VALUE
Attack Origin (AO)Arbitrary (AO:A)
Specific (AO:S)		1
0.2
Attack Cost (AC)Low (AC:L)
Medium (AC:M)
High (AC:H)		1
0.67
0.33
Attack Complexity (AX)Low (AX:L)
Medium (AX:M)
High (AX:H)		1
0.67
0.33
Exploitability EE is calculated using the following formula:

E=meE = \prod m_e

4.2 IMPACT

Confidentiality (C):
Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.
Integrity (I):
Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.
Availability (A):
Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.
Deposit (D):
Measures the impact to the deposits made to the contract by either users or owners.
Yield (Y):
Measures the impact to the yield generated by the contract for either users or owners.
Metrics:
IMPACT METRIC (mIm_I)METRIC VALUENUMERICAL VALUE
Confidentiality (C)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)		0
0.25
0.5
0.75
1
Integrity (I)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)		0
0.25
0.5
0.75
1
Availability (A)None (A:N)
Low (A:L)
Medium (A:M)
High (A:H)
Critical (A:C)		0
0.25
0.5
0.75
1
Deposit (D)None (D:N)
Low (D:L)
Medium (D:M)
High (D:H)
Critical (D:C)		0
0.25
0.5
0.75
1
Yield (Y)None (Y:N)
Low (Y:L)
Medium (Y:M)
High (Y:H)
Critical (Y:C)		0
0.25
0.5
0.75
1
Impact II is calculated using the following formula:

I=max(mI)+mImax(mI)4I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}

4.3 SEVERITY COEFFICIENT

Reversibility (R):
Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.
Scope (S):
Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.
Metrics:
SEVERITY COEFFICIENT (CC)COEFFICIENT VALUENUMERICAL VALUE
Reversibility (rr)None (R:N)
Partial (R:P)
Full (R:F)		1
0.5
0.25
Scope (ss)Changed (S:C)
Unchanged (S:U)		1.25
1
Severity Coefficient CC is obtained by the following product:

C=rsC = rs

The Vulnerability Severity Score SS is obtained by:

S=min(10,EIC10)S = min(10, EIC * 10)

The score is rounded up to 1 decimal places.
SeverityScore Value Range
Critical9 - 10
High7 - 8.9
Medium4.5 - 6.9
Low2 - 4.4
Informational0 - 1.9

5. SCOPE

Files and Repository
(a) Repository: core-chain
(b) Assessed Commit ID: 788f951
(c) Items in scope:
    Out-of-Scope:
    Files and Repository
    (a) Repository: core-chain
    (b) Assessed Commit ID: 86293f9
    (c) Items in scope:
      Out-of-Scope:
      Remediation Commit ID:
      Out-of-Scope: New features/implementations after the remediation commit IDs.

      6. Assessment Summary & Findings Overview

      Critical

      0

      High

      1

      Medium

      3

      Low

      1

      Informational

      2

      Security analysisRisk levelRemediation Date
      Add query limit to defend against potential DDoS attacksHighSolved - 05/17/2024
      Enforce topic limit early on filter criteria to prevent potential DoS attacksMediumRisk Accepted
      Add sanity limit to header accessor to prevent potential DoS attacksMediumRisk Accepted
      Vulnerability in Ethereum Node Allowing DoS via Malicious P2P MessageMediumRisk Accepted
      Vulnerability Due to Dependency on Outdated btcd ModuleLowRisk Accepted
      Integrate Dependabot to Identify Out-of-Date Software DependenciesInformationalAcknowledged
      Outdated GETH Fork VersionInformationalAcknowledged

      7. Findings & Tech Details

      7.1 Add query limit to defend against potential DDoS attacks

      // High

      Description

      The FeeHistory function in the Oracle struct is responsible for retrieving historical fee data based on the provided parameters. However, the current implementation lacks a limit on the number of percentiles that can be specified in the rewardPercentiles parameter. This absence of a limit makes the function vulnerable to potential Denial-of-Service (DDoS) attacks.

      An attacker could exploit this vulnerability by sending requests with an excessively large number of percentiles in the rewardPercentiles parameter. Processing a large number of percentiles can consume significant computational resources and potentially overwhelm the server, leading to degraded performance or even service unavailability.

      BVSS
      Recommendation

      Define a constant maxQueryLimit to represent the maximum number of percentiles allowed in a single request.

      • Define a constant maxQueryLimit to represent the maximum number of percentiles allowed in a single request. For example:

      const maxQueryLimit = 100

      • Add a check in the FeeHistory function to validate the length of the rewardPercentiles parameter against the maxQueryLimit. If the length exceeds the limit, return an error indicating that the query exceeds the maximum allowed limit. For example:

      if len(rewardPercentiles) > maxQueryLimit {
    return common.Big0, nil, nil, nil, fmt.Errorf("%w: over the query limit %d", errInvalidPercentile, maxQueryLimit)
}

      Remediation Plan

      SOLVED: The CoreDAO team solved the issue by implementing the suggested recommendation.

      Remediation Hash
      https://github.com/coredao-org/core-chain/commit/96abe9d1c72baac567020a20f4fdb3538bef32f5
      References
      coredao-org/core-chain/eth/gasprice/feehistory.go#L44
      bnb-chain/bsc/pull/2423

      7.2 Enforce topic limit early on filter criteria to prevent potential DoS attacks

      // Medium

      Description

      The FilterCriteria struct in the eth/filters package allows users to specify filter criteria for retrieving logs from the Core blockchain. However, the current implementation does not enforce any limits on the number of topics that can be included in the filter criteria until the actual filtering process. This lack of early validation leaves the system vulnerable to potential Denial-of-Service (DoS) attacks.


      An attacker could craft a malicious filter criteria with an extremely large number of topics, exceeding the reasonable limits. Processing such a filter criteria would consume significant resources and potentially overwhelm the Core node, leading to degraded performance or even a complete halt of the filtering process.

      BVSS
      Recommendation

      To mitigate this risk, it is crucial to enforce a limit on the number of topics allowed in the filter criteria at an early stage, specifically during the unmarshaling of the JSON data into the FilterCriteria struct. By validating the topic limit before processing the filter criteria further, we can prevent excessive resource consumption and protect the Core node from potential DoS attacks.


      Remediation Plan

      RISK ACCEPTED: The CoreDAO team accepted the risk of this issue. The CoreDAO team will fix all the issues in upcoming releases after they incorporate the recent GETH and BNB changes.

      References
      coredao-org/core-chain/eth/filters/api.go
      bnb-chain/bsc/pull/2446

      7.3 Add sanity limit to header accessor to prevent potential DoS attacks

      // Medium

      Description

      The ReadHeaderRange function in the core/rawdb package is responsible for retrieving a range of headers from the Core database, starting from a given block number and going backwards towards the genesis block. However, the current implementation does not impose any limit on the number of headers that can be retrieved in a single call. This lack of a sanity limit exposes the function to potential Denial-of-Service (DoS) attacks.

      An attacker could exploit this vulnerability by making a request to retrieve an excessively large number of headers, leading to excessive resource consumption on the Core node. This could potentially overwhelm the node, causing degraded performance or even a complete halt of the header retrieval process.

      To mitigate this risk, it is essential to introduce a sanity limit on the number of headers that can be retrieved in a single call to the ReadHeaderRange function. By enforcing a reasonable limit, we can prevent malicious actors from abusing the function and protect the Core node from potential DoS attacks.

      BVSS
      Recommendation

      In the db.AncientRange call, add a third argument to specify the maximum number of headers to retrieve from the ancients. This limit should be set to the maxHeadersPerRequest constant.


      Remediation Plan

      RISK ACCEPTED: The CoreDAO team accepted the risk of this issue. The CoreDAO team will fix all the issues in upcoming releases after they incorporate the recent GETH and BNB changes.

      References
      coredao-org/core-chain/core/rawdb/accessors_chain.go#L322
      bnb-chain/bsc/pull/2446

      7.4 Vulnerability in Ethereum Node Allowing DoS via Malicious P2P Message

      // Medium

      Description

      A vulnerability has been discovered in the Ethereum node implementation, specifically in the handling of p2p messages. The vulnerability allows an attacker to send specially crafted p2p messages to a vulnerable Ethereum node, causing it to consume excessive amounts of memory. This can lead to a Denial-of-Service (DoS) condition, rendering the node unresponsive or causing it to crash. The vulnerability is present in versions of the go-ethereum (Geth) client prior to version 1.13.15. The exact details of the vulnerability and the specific p2p message format that triggers the issue have not been disclosed at this time to prevent further exploitation.

      References :

      BVSS
      Recommendation

      By upgrading to the patched version and following the recommended mitigation steps, Core node operators can significantly reduce the risk of falling victim to DoS attacks exploiting this vulnerability and ensure the stability and security of their nodes.


      Remediation Plan

      RISK ACCEPTED: The CoreDAO team accepted the risk of this issue. The CoreDAO team will fix all the issues in upcoming releases after they incorporate the recent GETH and BNB changes.

      References
      ethereum/go-ethereum
      ethereum/go-ethereum

      7.5 Vulnerability Due to Dependency on Outdated btcd Module

      // Low

      Description

      The Core Chain project currently utilizes the github.com/btcsuite/btcd module at version 2.3.2. However, it has been discovered that versions of btcd prior to 0.24.0 contain a critical vulnerability (CVE-2024-34478) that can lead to consensus failures and potential loss of funds.

      The vulnerability stems from btcd's incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112. Specifically, btcd treats the transaction version as a signed integer instead of an unsigned integer, which can result in consensus failures and chain splits.

      BVSS
      Recommendation

      To mitigate this vulnerability and ensure the security and integrity of the Core Chain, it is strongly recommended to update the github.com/btcsuite/btcd module to version 0.24.0 or later. Version 0.24.0 includes the necessary fixes to address the consensus failure vulnerability.


      Remediation Plan

      RISK ACCEPTED: The CoreDAO team accepted the risk of this issue. The CoreDAO team will fix all the issues in upcoming releases after they incorporate the recent GETH and BNB changes.

      References
      coredao-org/core-chain/go.mod#L12

      7.6 Integrate Dependabot to Identify Out-of-Date Software Dependencies

      // Informational

      Description

      Currently, the Core Chain lacks an automated mechanism to identify and alert the development team about out-of-date software dependencies. Outdated dependencies can pose security risks, introduce compatibility issues, and hinder the overall performance and reliability of the application.

      Manually keeping track of updates for all the project's dependencies is a time-consuming and error-prone process. It requires constant monitoring of release notes, security advisories, and community forums to stay informed about the latest versions and patches.

      Score
      Recommendation

      To address this issue, it is recommended to integrate Dependabot into the project's development workflow. Dependabot is a tool that automatically scans the project's dependencies, identifies outdated packages, and creates pull requests to update them to the latest compatible versions.


      Remediation Plan

      ACKNOWLEDGED: The CoreDAO team acknowledged this finding.

      References
      coredao-org/core-chain/tree/branch_v1.0.9

      7.7 Outdated GETH Fork Version

      // Informational

      Description

      The Core Chain repository is currently using an outdated version of the BSC fork. This outdated version could potentially be vulnerable to exploits, or it could lack performance improvements and features that newer versions of Geth provide.

      Score
      Recommendation

      It is recommended to upgrade the Geth version to the latest stable release. This will help ensure that the blockchain network is secure, efficient, and feature-rich.

      Before proceeding with the upgrade, it is advisable to thoroughly test the new Geth version in a safe and isolated environment to prevent any unforeseen issues. After successful testing, the upgrade can be rolled out to the live system.


      Remediation Plan

      ACKNOWLEDGED: The CoreDAO team acknowledged this finding.

      Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

      // Download the full report

      * Use Google Chrome for best results

      ** Check "Background Graphics" in the print settings if needed

      © Halborn 2024. All rights reserved.