Prepared by:
HALBORN
Last Updated 04/26/2024
Date of Engagement by: July 5th, 2022 - July 30th, 2022
89% of all REPORTED Findings have been addressed
All findings
9
Critical
0
High
0
Medium
0
Low
2
Informational
7
UMEE
engaged Halborn to conduct a security audit on their CosmWasm integration, beginning on 2022-07-05 and ending on 2022-07-30.The security assessment was scoped to the GitHub repository provided to the Halborn team.
The team at Halborn was provided nearly three weeks for the engagement and assigned two full-time security engineers to audit the security of the CosmWasm integration. The security engineers are blockchain and smart-contract security experts with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.
The purpose of this audit to achieve the following:
Ensure that the CosmWasm integration functions as intended.
Identify potential security issues with the UMEE Team.
In summary, Halborn identified a some security risks that were mostly addressed by the UMEE Team
. However, HAL-01 (VULNERABLE WASM SMARTCONTRACT LEADS TO CHAIN HALT), HAL-02 (WASM CONFIG PARAMETERS ARENOT COMPATIBLE WITH RECENT COSMWASMSDK), HAL-03 (NEW QUERIES ARE NOT ADDEDINTO THE HANDLER) and HAL-04 (VULNERABLE 3RD PARTYPACKAGES) will be solved in a future release.
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the CosmWasm integration. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of structures and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the audit:
Research into architecture and purpose.
Static Analysis of security for scoped repository, and imported functions. (staticcheck
, gosec
, unconvert
, LGTM
, ineffassign
and semgrep
)
Manual Assessment for discovering security vulnerabilities on codebase.
Ensuring correctness of the codebase.
Dynamic Analysis on CosmWasm integration functions and data types.
IN-SCOPE:
The security assessment was scoped to umee-network/umee
repository.
IN-SCOPE MODULES:
CosmWasm integration.
FIXED MERGED ISSUES :
HAL-04 : https://github.com/umee-network/umee/issues/1193.
HAL-05 : https://github.com/umee-network/umee/issues/1192.
HAL-06 : https://github.com/umee-network/umee/issues/1194.
HAL-07 : https://github.com/umee-network/umee/issues/1195.
Critical
0
High
0
Medium
0
Low
2
Informational
7
Impact x Likelihood
HAL-02
HAL-03
HAL-04
HAL-01
HAL-05
HAL-06
HAL-07
HAL-08
HAL-09
Security analysis | Risk level | Remediation Date |
---|---|---|
WASM CONFIG PARAMETERS ARE NOT COMPATIBLE WITH RECENT COSMWASM SDK | Low | Future Release |
NEW QUERIES ARE NOT ADDED INTO THE HANDLER | Low | Future Release |
VULNERABLE WASM SMART CONTRACT LEADS TO CHAIN HALT | Informational | - |
VULNERABLE 3RD PARTY PACKAGES | Informational | Future Release |
UNHANDLED ERRORS | Informational | Solved - 08/29/2022 |
DUPLICATED ERROR CHECKS | Informational | Solved - 08/29/2022 |
HTML ESCAPING NOT IMPLEMENTED | Informational | Solved - 08/29/2022 |
PANIC IS USED FOR ERROR HANDLING | Informational | Acknowledged |
OPEN TODOs | Informational | Acknowledged |
// Low
During the code review, It has been noticed that the pre-defined parameters are incompatible with the recent wasmd keeper. From the following link, DefaultCompileCost is incompatible with recent wasmd module. On the other hand, DefaultGasMultiplier is not defined.
const (
// DefaultUmeeWasmInstanceCost is initially set the same as in wasmd
DefaultUmeeWasmInstanceCost uint64 = 60_000
// DefaultUmeeWasmCompileCost cost per byte compiled
DefaultUmeeWasmCompileCost uint64 = 100
)
PENDING: The UMEE Team
will fix this issue in a future release.
// Low
In the recent branch, SlashWindow query has been added. SlashWindow queries the current slash window progress of the oracle. However, the query is not added into the wasm handlers.
func (q querier) SlashWindow(
goCtx context.Context,
req *types.QuerySlashWindow,
) (*types.QuerySlashWindowResponse, error) {
if req == nil {
return nil, status.Error(codes.InvalidArgument, "empty request")
}
ctx := sdk.UnwrapSDKContext(goCtx)
params := q.GetParams(ctx)
slashWindow := params.SlashWindow
votePeriod := params.VotePeriod
currentBlock := uint64(ctx.BlockHeight())
votePeriodsPerSlashWindow := slashWindow / votePeriod
currentSlashWindow := currentBlock / votePeriodsPerSlashWindow
blocksIntoSlashWindow := currentBlock - (currentSlashWindow * slashWindow)
return &types.QuerySlashWindowResponse{
WindowProgress: blocksIntoSlashWindow / votePeriod,
}, nil
}
PENDING: The UMEE Team
will fix this issue in a future release.
// Informational
// Informational
There are a few 3rd party packages that are being used that contain vulnerabilities.
\begin{center} \begin{tabular}{|l|p{3cm}|p{2cm}|l|} \hline \textbf{ID} & \textbf{Package} & \textbf{Rating} & \textbf{Description} \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0598}{sonatype-2021-0598} & tendermint & MEDIUM & Improper Input Validation \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2022-3945}{sonatype-2022-3945} & go-buffer-poo & MEDIUM & Integer Overflow or Wraparound \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0456}{sonatype-2021-0456} & websocket & HIGH & Uncontrolled Resource Consumption \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0076}{sonatype-2021-0076} & go-ethereum & HIGH & Uncontrolled Resource Consumption \ \hline \href{https://ossindex.sonatype.org/vulnerability/CVE-2022-23328}{CVE-2022-23328} & go-ethereum & HIGH & Denial of Service attack \ \hline \end{tabular} \end{center}
PENDING: The UMEE Team
will fix this issue in a future release.
// Informational
There are a few instances where error handling has not been implemented for functions that might return an error.
price-feeder/oracle/provider/huobi.go, Lines 384-387
func (p *HuobiProvider) reconnect() error {
p.wsClient.Close()
p.logger.Debug().Msg("reconnecting websocket")
price-feeder/oracle/provider/gate.go, Lines 548-551
func (p *GateProvider) reconnect() error {
p.wsClient.Close()
p.logger.Debug().Msg("reconnecting websocket")
price-feeder/oracle/provider/coinbase.go, Lines 482-485
func (p *CoinbaseProvider) reconnect() error {
p.wsClient.Close()
p.logger.Debug().Msg("reconnecting websocket")
price-feeder/oracle/provider/binance.go, Lines 362-366
func (p *BinanceProvider) reconnect() error {
p.wsClient.Close()
p.logger.Debug().Msg("reconnecting websocket")
SOLVED: The UMEE Team
has implemented the correct error handling on Issue 1192.
// Informational
There are two instances where an error check is not required, and the logic can be adjusted to only return the value.
x/leverage/types/tx.go, Lines 115-121
func (msg *MsgDecollateralize) ValidateBasic() error {
_, err := sdk.AccAddressFromBech32(msg.Borrower)
if err != nil {
return err
}
return nil
}
x/leverage/types/tx.go, Lines 86-92
func (msg *MsgCollateralize) ValidateBasic() error {
_, err := sdk.AccAddressFromBech32(msg.Borrower)
if err != nil {
return err
}
return nil
}
SOLVED: The UMEE Team
has implemented the correct error handling on Issue 1194.
// Informational
It was found that Write
is being used to generate HTTP responses, instead of using the html/template
package that handles HTML and other encodings more safely.
price-feeder/router/v1/router.go, Line 113
_, _ = w.Write(gr.Metrics)
price-feeder/router/v1/response.go, Line 48
_, _ = w.Write(bz)
SOLVED: The UMEE Team
has implemented the correct error handling on Issue 1195.
// Informational
Several instances of the panic
function were identified in the codebase. They appear to be used to handle errors. This can cause potential issues, as invoking a panic can cause the program to halt execution and crash in some cases. This in turn can negatively impact the availability of the software for users.
The following are just a few samples of the usage of panic
.
x/leverage/abci.go, Lines 11-21
func EndBlocker(ctx sdk.Context, k keeper.Keeper) []abci.ValidatorUpdate {
if err := k.SweepBadDebts(ctx); err != nil {
panic(err)
}
if err := k.AccrueAllInterest(ctx); err != nil {
panic(err)
}
return []abci.ValidatorUpdate{}
}
xx/leverage/keeper/keeper.go, Lines 64-66
if k.hooks != nil {
panic("leverage hooks already set")
}
ACKNOWLEDGED: The UMEE Team
acknowledged this finding.
// Informational
Open To-dos can point to architecture or programming issues that still need to be resolved. Often these kinds of comments indicate areas of complexity or confusion for developers. This provides value and insight to an attacker who aims to cause damage to the protocol.
./x/leverage/module.go:28: // TODO: Ensure x/leverage implements simulator and then uncomment.
./x/leverage/keeper/interest.go:164: // TODO: use typed events
./x/leverage/keeper/interest.go:76: // @todo fix this when tendermint solves #8773
ACKNOWLEDGED: The UMEE Team
acknowledged this finding.
Halborn used automated testing techniques to enhance coverage of certain areas of the scoped component. Among the tools used were staticcheck, gosec, semgrep, unconvert, LGTM and Nancy. After Halborn verified all the contracts and scoped structures in the repository and was able to compile them correctly, these tools were leveraged on scoped structures. With these tools, Halborn can statically verify security related issues across the entire codebase.
semgrep --config "p/dgryski.semgrep-go" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o dgryski.semgrep
semgrep --config "p/owasp-top-ten" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o owasp-top-ten.semgrep
semgrep --config "p/r2c-security-audit" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o r2c-security-audit.semgrep
semgrep --config "p/r2c-ci" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o r2c-ci.semgrep
semgrep --config "p/ci" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o ci.semgrep
semgrep --config "p/golang" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o golang.semgrep
semgrep --config "p/trailofbits" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o trailofbits.semgrep
{width=625 height=438}
{width=309 height=170}
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed