Skip to main content

Decentralized Application Code Review and Security Analysis Methodology

Release: Version 2.0


Documentā€‹

Document AttributeValue
NameBlockchain protocol and security analysis methodology
CreatorsHacken OU
SubjectAudit; security analysis; dapp; pentest; attack vectors;
DescriptionThe methodology outlined in this document offers specific guidance on how to plan and execute an audit of decentralized applications (dApps) developed by Hacken OU. This document aims to equip all relevant stakeholders with a comprehensive understanding of the auditing process, as well as the steps needed to adequately prepare for it.
ContributorLuciano Ciattaglia | Director of Services at Hacken OU
ContributorStephen Ajayi | Dapp Audit Technical Lead at Hacken.
DateNovember 2nd, 2023
RightsHacken OU

Introductionā€‹

This document describes the decentralized application code review and security analysis process developed and used by security engineers at Hacken. It uses well-known and industry-accepted core principles as its base: confidentiality, integrity, and availability. By extending the existing conventional security concepts, this methodology aims at providing the best analysis value for an application interacting with a decentralized network.

A decentralized application code review and security analysis is a secure code review and static application security testing. For more information on these aspects of the process, refer to the related sections of this document.


Code Review and Security Analysisā€‹

Requirementsā€‹

This methodology was specifically designed for reviewing applications that interact with blockchain networks. Although this methodology can be used while reviewing conventional applications, it is not recommended. The following eligibility criteria can be used to determine if an application is a good fit.

Eligibility Criteria ("any of"):ā€‹

#Criteria
1The application performs cross-chain operations.
2The application has custody over or interacts with sensitive information such as private keys, seed phrases, etc.
3The application signs and/or broadcasts transactions without relying on third-party injected/connected providers.
4The application reacts to blockchain events.
5The application indexes blockchain and the integrity is crucial.
6The application uses message signing as a means of authentication.

This methodology requires the following resources to be provided:

  • The source code with a clearly defined scope.
  • The documentation with functional requirements and technical details about the application.

Secure Code Reviewā€‹

Secure code review is a detailed analysis of the software source code by security engineers to identify potential security vulnerabilities, weaknesses, and exploitable issues.

The process involves a line-by-line examination of the code to identify security issues, which could include concerns specific to blockchain integration such as data manipulations, incorrect integrations with a blockchain platform, incorrect interpretations of network responses, and other manipulations that could be performed through interaction with a decentralized network.

In addition to the code analysis, security engineers also create a system overview that includes data flow and high-level architecture diagrams. This helps to provide a better understanding of the system and its constraints. The system overview helps identify how data flows within the application, where data is stored, and how different components interact with one another.

Static Security Analysisā€‹

Static security analysis is a crucial step in ensuring the security of an application. This testing method involves the examination of an application's source code without executing it, to identify any potential security vulnerabilities. It plays a vital role in a comprehensive security strategy by revealing hidden security flaws that could otherwise go unnoticed.

As applications continue to grow in complexity, the need for advanced and sophisticated static analysis becomes important. It is recommended to use the latest technology and tools, such as AI-powered testing and platform-specific security analysis tools. At Hacken, we employ a proprietary and confidential list of both public and private security analysis tools to conduct our reviews.

The outcome of a successful analysis is a report that outlines the discovered security vulnerabilities, as well as an assessment of the application's reliability and code quality. It serves as a valuable artifact, providing crucial insights and recommendations for improving the application's security.

Standardizationā€‹

This review aims to identify commonly known and more specific vulnerabilities. The review process may consider a wide range of potential issues, some of which are listed in the table below. Each item in the table should have one of the following statuses in the assessment report: Passed, Failed, or Not Relevant

Standardized Checked Items:

#Item
1Private keys are safely used and stored
Private keys should be encrypted, stored in a secure secret manager, and provided to the application with a secure method.
2Strong authentication via message signing
A signed authentication message should be exclusive to the application. It should have an expiration date and time-specific nonce provided by the system.
3Blockchain branching out is accounted for
The application should wait an adequate number of blocks to reduce the risk of a chain re-organization.
4Healthy integration with the blockchain nodes
4.1The application indexes blockchain and the integrity is crucial.
4.2The application uses message signing as a means of authentication.
5Blockchain data is sanitized
The application should not trust the inputs from the blockchain when they can be considered the same as user inputs.
6Secure integration with the blockchain
6.1Events are validated
The application should check the event origin, its type and structure.
6.2Proper mapping of types
Blockchain-specific types (uint256, bytes, etc.) should be mapped to the correct language-specific types without data loss.
6.3Error-proof data indexing
The application should not silently skip anything it could not process at some point in time. It should have a retry mechanism or sufficient logging.
6.4Secure integration with the smart contracts
The application should follow the smart contract specification and expect all relevant and possible outcomes.
7Dependencies are up-to-date and not vulnerable

The assessment report must adhere to the definitions provided in this methodology to ensure consistency and accuracy in the reporting of findings.

Issue Severity Definition:

SeverityDescription
CriticalThese issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
HighThese issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
MediumThese issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
LowThese issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Pending FixThe issue was presented to the Customer. The remediation after the initial discovery was not yet made.
AcceptedThe issue was not fixed as a result of the remediation. The Customer was informed of the risks associated with it.
ResolvedThe issue was fixed and does not present a risk to the system.

Findingsā€‹

A secure code review and static security analysis can produce a wide range of findings, which may include but are not limited to:

  • Overconfidence in a node (or node provider)
  • Failure to account for a blockchain branching out
  • Incorrect validation of ENS records
  • Weak authentication via message signing
  • Unsafe private key storage
  • XSS/SQL injections from the blockchain data
  • Misuse of checksum addresses
  • Blockchain data inconsistency
  • Incorrect integration with a smart contract and/or blockchain network
  • Usage of wrong data types
  • Deprecated, vulnerable, or outdated Web 3 libraries

To ensure consistency and completeness, each finding resulting from a secure code review and static security analysis should include a title, description, status, severity level, associated Common Weakness Enumeration (CWE), and recommendation on how to mitigate the issue.

The weakness classification used by Hacken security engineers contains a list of standardized issues that may be identified during the secure code review process. While some of these issues may have a higher severity level than what is currently considered industry norms, security engineers at Hacken believe this approach helps to promote good security practices and ensure a healthy Web 3 ecosystem.


Assessment Reportā€‹

This is a document that contains all the findings from the application code review and security analysis. Its content should include the following:

  • The assessment scope, conditions, assumptions, limitations, and other relevant information.
  • A list of issues and vulnerabilities found during the review with recommendations on how to address them.
  • An overview of the system created by the security engineers.

Limitationsā€‹

While this methodology is designed to identify specific risks and vulnerabilities in the application through a thorough code review and security analysis, it is important to note that it does not make any statements or warranties regarding the overall security of the application.

To ensure the security of a decentralized application, it is strongly recommended to not rely solely on this methodology. We advise conducting several independent audits and implementing a public bug bounty program to further identify and address potential security issues.