HbarSuite

It was found, after some time, all the pools that were created while testing became unavailable. This varied from becoming unavailable any time between 3 hours after creation, up to 24 hours after creation.

This resulted in no positions being able to be opened in those duplicated pools.

A new pool was created. Monitoring was enabled using a custom-made script to check for available pools at an interval of 20 minutes.

During the test, it was observed that the created pool become unavailable after approximately 4 hours.

SOLVED: While testing was ongoing, this issue was raised with the HbarSuite team. A fix was implemented and after retesting over a 24-hour period, it was noted that the pools remained available.

It was found that https://hsuite-finance.firebaseapp.com when large values are entered into the amount input fields, an error is generated and the site becomes unresponsive until a manual refresh of the browser. It appeared that the error was due to the number being converted into scientific notation.

SOLVED: The HbarSuite team implemented a fix by using encodingUrl on all parameters.

It was found that https://hsuite-finance.firebaseapp.com allows unauthenticated cache purging. This allows an attacker to purge the site's caches.

This could lead to additional bandwidth costs and could also potential lead to Denial of Services.

SOLVED: The HbarSuite team implemented a fix by white listing only the official links on the smart nodes. By doing this, the Firebase application will no longer be operational. The official links are all under Cloudflare, where it is not possible for an anonymous user to purge the cache.

It was found that when a negative value is provided when purchasing $LPT in Launchpad on https://hsuite-finance.firebaseapp.com, the tokens are swapped around and you will be spending $LPT instead of earning it.

SOLVED: The HbarSuite team implemented a fix by making sure no negative values can be entered into the input fields.

It was found that the USDC token has been set up with 4 decimals. This was observed in the /tokens/list API endpoint.

The accepted standard for the amount of decimals to be used when working with USDC is 6. By performing calculations using 4 decimal places, It might result in unexpected results.

SOLVED: The HbarSuite team has fixed this by adjusting the decimal value of USDC to 6.

It was found that https://hsuite-finance.firebaseapp.com allowed for negative values to be entered in the amount input fields. When the transaction was performed, it did, however, use the positive representation of the value.

SOLVED: The HbarSuite team implemented a fix by making sure no negative values can be entered into the input fields.

It was observed that when creating a new position on https://hsuite-finance.firebaseapp.com the values being shows on the labels indicate incorrect values being parsed. They are showing NaN (Not-a-Number) values, instead of a properly formed numeric value.

SOLVED: The HbarSuite team implemented a fix and no further NaN values were observed on the UI. There were, however, NaN errors being shown in the developer console of the browser, which the HbarSuite team has acknowledged.

It was found that https://hsuite-finance.firebaseapp.com does not implement the anti-clickjacking X-Frame-Options header, which made it susceptible to clickjacking attacks.

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page, but in fact they are clicking an invisible element in the additional page transposed on top of it.

The invisible page could be a malicious page, or a legitimate page the user did not intend to visit - for example, a login page.

SOLVED: The HbarSuite team has fixed the issue by implementing the correct HTTP response headers.

It was found that https://hsuite-finance.firebaseapp.com does not implement a number of the standard and recommended HTTP security headers.

The headers that were found to be missing are:

• access-control-expose-headers
• access-control-allow-methods
• access-control-allow-headers
• referrer-policy
• x-permitted-cross-domain-policies
• cross-origin-embedder-policy
• cross-origin-opener-policy
• access-control-allow-origin
• access-control-allow-credentials
• access-control-max-age
• permission-policy
• x-frame-options
• x-content-type-options
• cross-origin-resource-policy
• content-security-policy

SOLVED: The HbarSuite team has fixed the issue by implementing the correct HTTP response headers.

It was found that responses from https://hsuite-finance.firebaseapp.com may be cached by browsers. Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

SOLVED: The HbarSuite team has fixed the issue by implementing the correct HTTP response headers.

The application running on https://hsuite-finance.firebaseapp.com failed to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection.

SOLVED: The HbarSuite team has fixed this by implementing the correct HTTP response headers.

It was found on https://hsuite-finance.firebaseapp.com it appears that some developer logs have been left enabled. This could lead to potentially sensitive information being made available to the user.

ACKNOWLEDGED: The HbarSuite Team has acknowledged this finding.

The three provided hosts were scanned to see which ports are open and which services were running.

testnet-sn1.hbarsuite.network (104.21.73.174):
\begin{center} \begin{tabular}{|l|l|} \hline \textbf{Port} & \textbf{Service Banner} \ \hline 80 & cloudflare \ \hline 443 & cloudflare \ \hline 2052 & No banner \ \hline 2053 & nginx \ \hline 2082 & No banner \ \hline 2083 & nginx \ \hline 2086 & No banner \ \hline 2087 & nginx \ \hline 2095 & No banner \ \hline 2096 & nginx \ \hline 8080 & cloudflare \ \hline 8443 & cloudflare \ \hline 8880 & No banner \ \hline \end{tabular} \end{center}

testnet-sn2.hbarsuite.network (104.21.73.174):
\begin{center} \begin{tabular}{|l|l|} \hline \textbf{Port} & \textbf{Service Banner} \ \hline 80 & cloudflare \ \hline 443 & cloudflare \ \hline 2052 & No banner \ \hline 2053 & nginx \ \hline 2082 & No banner \ \hline 2083 & nginx \ \hline 2086 & No banner \ \hline 2087 & nginx \ \hline 2095 & No banner \ \hline 2096 & nginx \ \hline 8080 & cloudflare \ \hline 8443 & cloudflare \ \hline 8880 & No banner \ \hline \end{tabular} \end{center}

testnet-sn3.hbarsuite.network (104.21.73.174):
\begin{center} \begin{tabular}{|l|l|} \hline \textbf{Port} & \textbf{Service Banner} \ \hline 80 & cloudflare \ \hline 443 & cloudflare \ \hline 2052 & No banner \ \hline 2053 & nginx \ \hline 2082 & No banner \ \hline 2083 & nginx \ \hline 2086 & No banner \ \hline 2087 & nginx \ \hline 2095 & No banner \ \hline 2096 & nginx \ \hline 8080 & cloudflare \ \hline 8443 & cloudflare \ \hline 8880 & No banner \ \hline \end{tabular} \end{center}

testnet-sn4.hbarsuite.network (172.67.146.161):
\begin{center} \begin{tabular}{|l|l|} \hline \textbf{Port} & \textbf{Service Banner} \ \hline 80 & cloudflare \ \hline 443 & cloudflare \ \hline 2052 & No banner \ \hline 2053 & nginx \ \hline 2082 & No banner \ \hline 2083 & nginx \ \hline 2086 & No banner \ \hline 2087 & nginx \ \hline 2095 & No banner \ \hline 2096 & nginx \ \hline 8080 & cloudflare \ \hline 8443 & cloudflare \ \hline 8880 & No banner \ \hline \end{tabular} \end{center}

ACKNOWLEDGED: The HbarSuite Team has acknowledged this finding.

It was found that previous IP addresses that have been associated with the smart nodes were accessible in publicly available DNS history records. Using this information, the direct IP addresses of the nodes were found.

It should, however, be noted that the Cloudflare proxy and firewall has been set up to correctly to not allow direct access to these nodes using those IP addresses.

ACKNOWLEDGED: The HbarSuite Team has acknowledged this finding.