Halborn Logo

WASM Integration - UMEE


Prepared by:

Halborn Logo

HALBORN

Last Updated 04/26/2024

Date of Engagement by: July 5th, 2022 - July 30th, 2022

Summary

89% of all REPORTED Findings have been addressed

All findings

9

Critical

0

High

0

Medium

0

Low

2

Informational

7


1. INTRODUCTION

UMEE engaged Halborn to conduct a security audit on their CosmWasm integration, beginning on 2022-07-05 and ending on 2022-07-30.The security assessment was scoped to the GitHub repository provided to the Halborn team.

2. AUDIT SUMMARY

The team at Halborn was provided nearly three weeks for the engagement and assigned two full-time security engineers to audit the security of the CosmWasm integration. The security engineers are blockchain and smart-contract security experts with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this audit to achieve the following:

    • Ensure that the CosmWasm integration functions as intended.

    • Identify potential security issues with the UMEE Team.

In summary, Halborn identified a some security risks that were mostly addressed by the UMEE Team. However, HAL-01 (VULNERABLE WASM SMARTCONTRACT LEADS TO CHAIN HALT), HAL-02 (WASM CONFIG PARAMETERS ARENOT COMPATIBLE WITH RECENT COSMWASMSDK), HAL-03 (NEW QUERIES ARE NOT ADDEDINTO THE HANDLER) and HAL-04 (VULNERABLE 3RD PARTYPACKAGES) will be solved in a future release.

3. TEST APPROACH & METHODOLOGY

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the CosmWasm integration. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of structures and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the audit:

    • Research into architecture and purpose.

    • Static Analysis of security for scoped repository, and imported functions. (staticcheck, gosec, unconvert, LGTM, ineffassign and semgrep)

    • Manual Assessment for discovering security vulnerabilities on codebase.

    • Ensuring correctness of the codebase.

    • Dynamic Analysis on CosmWasm integration functions and data types.

4. SCOPE

IN-SCOPE:

The security assessment was scoped to umee-network/umee repository.

Branch Pull Request

IN-SCOPE MODULES:

    • CosmWasm integration.

FIXED MERGED ISSUES :

    • HAL-04 : https://github.com/umee-network/umee/issues/1193.

    • HAL-05 : https://github.com/umee-network/umee/issues/1192.

    • HAL-06 : https://github.com/umee-network/umee/issues/1194.

    • HAL-07 : https://github.com/umee-network/umee/issues/1195.

5. RISK METHODOLOGY

Vulnerabilities or issues observed by Halborn are ranked based on the risk assessment methodology by measuring the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

6. SCOPE

Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

0

High

0

Medium

0

Low

2

Informational

7

Impact x Likelihood

HAL-02

HAL-03

HAL-04

HAL-01

HAL-05

HAL-06

HAL-07

HAL-08

HAL-09

Security analysisRisk levelRemediation Date
WASM CONFIG PARAMETERS ARE NOT COMPATIBLE WITH RECENT COSMWASM SDKLowFuture Release
NEW QUERIES ARE NOT ADDED INTO THE HANDLERLowFuture Release
VULNERABLE WASM SMART CONTRACT LEADS TO CHAIN HALTInformational-
VULNERABLE 3RD PARTY PACKAGESInformationalFuture Release
UNHANDLED ERRORSInformationalSolved - 08/29/2022
DUPLICATED ERROR CHECKSInformationalSolved - 08/29/2022
HTML ESCAPING NOT IMPLEMENTEDInformationalSolved - 08/29/2022
PANIC IS USED FOR ERROR HANDLINGInformationalAcknowledged
OPEN TODOsInformationalAcknowledged

8. Findings & Tech Details

8.1 WASM CONFIG PARAMETERS ARE NOT COMPATIBLE WITH RECENT COSMWASM SDK

// Low

Description

During the code review, It has been noticed that the pre-defined parameters are incompatible with the recent wasmd keeper. From the following link, DefaultCompileCost is incompatible with recent wasmd module. On the other hand, DefaultGasMultiplier is not defined.

Code Location

Location

const (
    // DefaultUmeeWasmInstanceCost is initially set the same as in wasmd
    DefaultUmeeWasmInstanceCost uint64 = 60_000
    // DefaultUmeeWasmCompileCost cost per byte compiled
    DefaultUmeeWasmCompileCost uint64 = 100
)
Score
Impact: 3
Likelihood: 1
Recommendation

PENDING: The UMEE Team will fix this issue in a future release.

8.2 NEW QUERIES ARE NOT ADDED INTO THE HANDLER

// Low

Description

In the recent branch, SlashWindow query has been added. SlashWindow queries the current slash window progress of the oracle. However, the query is not added into the wasm handlers.

Code Location

Location

func (q querier) SlashWindow(
    goCtx context.Context,
    req *types.QuerySlashWindow,
) (*types.QuerySlashWindowResponse, error) {
    if req == nil {
        return nil, status.Error(codes.InvalidArgument, "empty request")
    }

    ctx := sdk.UnwrapSDKContext(goCtx)
    params := q.GetParams(ctx)

    slashWindow := params.SlashWindow
    votePeriod := params.VotePeriod
    currentBlock := uint64(ctx.BlockHeight())
    votePeriodsPerSlashWindow := slashWindow / votePeriod

    currentSlashWindow := currentBlock / votePeriodsPerSlashWindow
    blocksIntoSlashWindow := currentBlock - (currentSlashWindow * slashWindow)

    return &types.QuerySlashWindowResponse{
        WindowProgress: blocksIntoSlashWindow / votePeriod,
    }, nil
}
Score
Impact: 3
Likelihood: 1
Recommendation

PENDING: The UMEE Team will fix this issue in a future release.

8.3 VULNERABLE WASM SMART CONTRACT LEADS TO CHAIN HALT

// Informational

Description
Finding description placeholder
Score
Impact:
Likelihood:

8.4 VULNERABLE 3RD PARTY PACKAGES

// Informational

Description

There are a few 3rd party packages that are being used that contain vulnerabilities.

\begin{center} \begin{tabular}{|l|p{3cm}|p{2cm}|l|} \hline \textbf{ID} & \textbf{Package} & \textbf{Rating} & \textbf{Description} \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0598}{sonatype-2021-0598} & tendermint & MEDIUM & Improper Input Validation \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2022-3945}{sonatype-2022-3945} & go-buffer-poo & MEDIUM & Integer Overflow or Wraparound \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0456}{sonatype-2021-0456} & websocket & HIGH & Uncontrolled Resource Consumption \ \hline \href{https://ossindex.sonatype.org/vulnerability/sonatype-2021-0076}{sonatype-2021-0076} & go-ethereum & HIGH & Uncontrolled Resource Consumption \ \hline \href{https://ossindex.sonatype.org/vulnerability/CVE-2022-23328}{CVE-2022-23328} & go-ethereum & HIGH & Denial of Service attack \ \hline \end{tabular} \end{center}

Score
Impact: 2
Likelihood: 1
Recommendation

PENDING: The UMEE Team will fix this issue in a future release.

8.5 UNHANDLED ERRORS

// Informational

Description

There are a few instances where error handling has not been implemented for functions that might return an error.

Code Location

price-feeder/oracle/provider/huobi.go, Lines 384-387

func (p *HuobiProvider) reconnect() error {
    p.wsClient.Close()

    p.logger.Debug().Msg("reconnecting websocket")

price-feeder/oracle/provider/gate.go, Lines 548-551

func (p *GateProvider) reconnect() error {
    p.wsClient.Close()

    p.logger.Debug().Msg("reconnecting websocket")

price-feeder/oracle/provider/coinbase.go, Lines 482-485

func (p *CoinbaseProvider) reconnect() error {
    p.wsClient.Close()

    p.logger.Debug().Msg("reconnecting websocket")

price-feeder/oracle/provider/binance.go, Lines 362-366

func (p *BinanceProvider) reconnect() error {
    p.wsClient.Close()

    p.logger.Debug().Msg("reconnecting websocket")
Score
Impact: 1
Likelihood: 1
Recommendation

SOLVED: The UMEE Team has implemented the correct error handling on Issue 1192.

8.6 DUPLICATED ERROR CHECKS

// Informational

Description

There are two instances where an error check is not required, and the logic can be adjusted to only return the value.

Code Location

x/leverage/types/tx.go, Lines 115-121

func (msg *MsgDecollateralize) ValidateBasic() error {
    _, err := sdk.AccAddressFromBech32(msg.Borrower)
    if err != nil {
        return err
    }
    return nil
}

x/leverage/types/tx.go, Lines 86-92

func (msg *MsgCollateralize) ValidateBasic() error {
    _, err := sdk.AccAddressFromBech32(msg.Borrower)
    if err != nil {
        return err
    }
    return nil
}
Score
Impact: 1
Likelihood: 1
Recommendation

SOLVED: The UMEE Team has implemented the correct error handling on Issue 1194.

8.7 HTML ESCAPING NOT IMPLEMENTED

// Informational

Description

It was found that Write is being used to generate HTTP responses, instead of using the html/template package that handles HTML and other encodings more safely.

Code Location

price-feeder/router/v1/router.go, Line 113

        _, _ = w.Write(gr.Metrics)

price-feeder/router/v1/response.go, Line 48

    _, _ = w.Write(bz)
Score
Impact: 1
Likelihood: 1
Recommendation

SOLVED: The UMEE Team has implemented the correct error handling on Issue 1195.

8.8 PANIC IS USED FOR ERROR HANDLING

// Informational

Description

Several instances of the panic function were identified in the codebase. They appear to be used to handle errors. This can cause potential issues, as invoking a panic can cause the program to halt execution and crash in some cases. This in turn can negatively impact the availability of the software for users.

Code Location

The following are just a few samples of the usage of panic.

x/leverage/abci.go, Lines 11-21

func EndBlocker(ctx sdk.Context, k keeper.Keeper) []abci.ValidatorUpdate {
    if err := k.SweepBadDebts(ctx); err != nil {
        panic(err)
    }

    if err := k.AccrueAllInterest(ctx); err != nil {
        panic(err)
    }

    return []abci.ValidatorUpdate{}
}

xx/leverage/keeper/keeper.go, Lines 64-66

    if k.hooks != nil {
        panic("leverage hooks already set")
    }
Score
Impact: 1
Likelihood: 1
Recommendation

ACKNOWLEDGED: The UMEE Team acknowledged this finding.

8.9 OPEN TODOs

// Informational

Description

Open To-dos can point to architecture or programming issues that still need to be resolved. Often these kinds of comments indicate areas of complexity or confusion for developers. This provides value and insight to an attacker who aims to cause damage to the protocol.

Code Location

Open Todos

./x/leverage/module.go:28:      // TODO: Ensure x/leverage implements simulator and then uncomment.
./x/leverage/keeper/interest.go:164:    // TODO: use typed events
./x/leverage/keeper/interest.go:76:             // @todo fix this when tendermint solves #8773
Score
Impact: 1
Likelihood: 1
Recommendation

ACKNOWLEDGED: The UMEE Team acknowledged this finding.

9. Automated Testing

Description

Halborn used automated testing techniques to enhance coverage of certain areas of the scoped component. Among the tools used were staticcheck, gosec, semgrep, unconvert, LGTM and Nancy. After Halborn verified all the contracts and scoped structures in the repository and was able to compile them correctly, these tools were leveraged on scoped structures. With these tools, Halborn can statically verify security related issues across the entire codebase.

Semgrep - Security Analysis Output Sample

Rule Set

semgrep --config "p/dgryski.semgrep-go" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o dgryski.semgrep
semgrep --config "p/owasp-top-ten" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o owasp-top-ten.semgrep
semgrep --config "p/r2c-security-audit" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o r2c-security-audit.semgrep
semgrep --config "p/r2c-ci" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o r2c-ci.semgrep
semgrep --config "p/ci" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o ci.semgrep
semgrep --config "p/golang" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o golang.semgrep
semgrep --config "p/trailofbits" x --exclude='*_test.go' --max-lines-per-finding 1000 --no-git-ignore -o trailofbits.semgrep

Semgrep Results

semgrep.png

{width=625 height=438}


Gosec - Security Analysis Output Sample

gosec.png

Staticcheck - Security Analysis Output Sample

staticcheck.png

Nancy - Security Analysis Output Sample

nancy.png

{width=309 height=170}


Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

© Halborn 2024. All rights reserved.