Skip to content

Commit

Permalink
Add layer2 audit solution
Browse files Browse the repository at this point in the history
  • Loading branch information
@ohJohanZ
ohJohanZ committed Jul 5, 2024
1 parent 5eb98c7 commit 40a717d
Show file tree
Hide file tree
Showing 2 changed files with 212 additions and 35 deletions.
96 changes: 61 additions & 35 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
# Blockchain-Based Cryptocurrency Security Audit Guide

[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/slowmist_team.svg?style=social&label=Follow%20%40SlowMist_Team)](https://twitter.com/slowmist_team)
[中文版本](./README_CN.md)

## Cryptocurrency Threat Modeling
## 1. Cryptocurrency Threat Modeling

SlowMist uses multiple models to identify cryptocurrency threats.

Expand All @@ -14,7 +15,7 @@ ABC's key innovation is the use of collusion matrices. A collusion matrix forces

STRIDE is often used in relation to assessing threats against applications or operating systems. However, it can also be used in other contexts as well. STRIDE is an acronym standing for the following: Spoofing/Tampering/Repudiation/Information disclosure/Denial of service (DoS)/Elevation of privilege.

## Testing Method
## 2. Testing Method
The testing methods are as follows:

| Test Method | Description |
Expand All @@ -25,7 +26,7 @@ The testing methods are as follows:

In black-box testing and gray-box testing, we use fuzz testing, script testing and other methods to test the robustness of interfaces or components by feeding random data or constructing data with a specific structure, and to mine some boundaries. Abnormal behavior of the system under conditions such as bugs or abnormal performance. In the white-box test, we analyze the object definition and logic implementation of the code through methods such as code review, combined with the relevant experience accumulated by the security team on known blockchain security vulnerabilities, to ensure that the key logic and key components in the code are correct. Achieve no known vulnerabilities; at the same time, enter the vulnerability mining mode for new scenarios and new technologies, and find possible 0day errors.

## Vulnerability Severity
## 3. Vulnerability Severity
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.

According to the CVSS method, SlowMist team develops the blockchain vulnerability severity level, they are as follows:
Expand All @@ -38,48 +39,73 @@ According to the CVSS method, SlowMist team develops the blockchain vulnerabilit
| Low | Low severity vulnerabilities may affect the operation of the blockchain project in certain scenarios. It is suggested that the project party should evaluate and consider whether these vulnerabilities need to be fixed. |
| Weakness | There are safety risks theoretically, but it is extremely difficult to reproduce in engineering. |
| Suggestion | There are better practices for coding or architecture. |
| Infomation | Some features that align with the project design intentions but may lead to user asset loss. |

## Blockchain Mainnet Security Audit

The SlowMist team adopts the strategy of "**Black-box + Gray-box**" to conduct a complete security test on the project in the way closest to the real attack.
## 4. Blockchain Mainnet Security Audit

The SlowMist team's [Blockchain Threat Intelligence](https://bti.slowmist.com/) system continuously tracks ongoing security incidents and applies threat intelligence to its security audit services.

The SlowMist team check all vulnerabilities listing in [SlowMist: Blockchain Common Vulnerability List](./Blockchain-Common-Vulnerability-List.md) (30+ items)
The SlowMist team analyzes and studies publicly known blockchain security vulnerabilities and has compiled a [Blockchain Common Vulnerability List](./Blockchain-Common-Vulnerability-List.md).

## Cryptocurrency Exchange Listing Security Audit
## 5. Cryptocurrency Exchange Listing Security Audit

The SlowMist team adopts the strategy of "**Black-box + Gray-box**" to conduct a complete security test on the project in the way closest to the real attack.

The SlowMist team examines the most concerned vulnerabilities of exchanges, they are as follows:

- Private key prediction
[Detail](./Blockchain-Common-Vulnerability-List.md#private-key-prediction)

- Rug pull attack
[Detail](./Blockchain-Common-Vulnerability-List.md#rug-pull-attack)

- Insecure encryption library
[Detail](./Blockchain-Common-Vulnerability-List.md#cryptographic-attacks)

- Transaction malleability attack
[Detail](./Blockchain-Common-Vulnerability-List.md#transaction-malleability-attack)

- Transaction replay attack
[Detail](./Blockchain-Common-Vulnerability-List.md#transaction-replay-attack)

- False top-up attack
[Detail](./Blockchain-Common-Vulnerability-List.md#false-top-up-attack)

- RPC theft
[Detail](./Blockchain-Common-Vulnerability-List.md#the-ethereum-black-valentines-day-vulnerability)

## Code-based Testing Audit
- Insufficient entropy of private key random numbers
- Precision loss in private key seed conversion
- Theoretical reliability assessment of symmetric encryption algorithms
- Supply chain security of symmetric crypto algorithm reference libraries
- Keystore encryption strength detection
- Hash algorithm length extension attack
- Theoretical reliability assessment of hash algorithms
- Theoretical reliability assessment of signature algorithms
- secp256k1 k-value randomness security
- secp256k1 r-value reuse private key extraction attack
- ECC signature malleability attack
- ed25519 private key extraction attack
- Schnorr private key extraction attack
- ECC twist attack
- Merkle-tree Malleability attack (CVE-2012-2459)
- Native characteristic false recharge
- Contract call-based false recharge
- Native chain transaction replay attack
- Cross-chain transaction replay attack
- Transaction lock attack
- Transaction fees not dynamically adjusted
- RPC remote key theft attack
- RPC port identifiability
- RPC open cross-domain vulnerability to local phishing attacks
- JsonRPC malformed packet denial-of-service attack
- RPC database injection
- RPC communication encryption
- Excessive administrator privileges
- Non-privacy/Non-dark Coin Audit
- Insufficient number of core nodes
- Excessive concentration of core node physical locations
- P2P node maximum connection limit
- P2P node independent IP connection limit
- P2P inbound/outbound connection limit
- P2P shapeshift attack
- P2P communication encryption
- P2P port identifiability
- Consensus algorithm potential risk assessment
- Block time offset attack
- Miner grinding attack
- PoS/BFT final confirmation conditions
- PoS/BFT double-signing penalty
- PoS/BFT block refusal penalty

## 6. Code-based Testing Audit

The SlowMist team adopts the strategy of "**White-box**" to conduct a complete security test on the project.

### Static Source Code Analysis (SAST)
### 6.1 Static Source Code Analysis (SAST)
The SlowMist team checks code quality using open source or commercial code scanners, we support all popular languages, such as **C/C++/Golang/Rust/Java/Nodejs/C#**

### Manual Code Review
### 6.2 Manual Code Review

The SlowMist team manually checks the code line by line, looking for common coding pitfalls as follows:

Expand All @@ -91,7 +117,7 @@ The SlowMist team manually checks the code line by line, looking for common codi
- Boundary check
- Unit test coverage

## Application Chain Security Audit
## 7. Application Chain Security Audit

The SlowMist team adopts the strategy of "**White-box**" to conduct a complete security test on the project, looking for common coding pitfalls as follows:

Expand All @@ -110,13 +136,13 @@ Currently we support:
2. Substrate Framework Based Blockchain Audit


## Blockchain Application Audit
### Smart Contract Security Audit
## 8. Blockchain Application Audit
### 8.1 Smart Contract Security Audit
1. [Ethereum(Solidity) Smart Contract Security Audit](https://www.slowmist.com/en/service-smart-contract-security-audit.html)
2. [EOS(C++) Smart Contract Security Best Practices](https://github.com/slowmist/eos-smart-contract-security-best-practices)
3. [Solana(Rust) Smart Contract Security Best Practices](https://github.com/slowmist/solana-smart-contract-security-best-practices)

### Other Application
### 8.2 Other Application
1. Zero-Knowledge Circuit Security Audit
2. Interchain Bridge Application Security Audit
3. Browser Plugin Wallet Security Audit
Expand Down
151 changes: 151 additions & 0 deletions README_CN.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
# 基于区块链的加密货币安全审计指南

[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/slowmist_team.svg?style=social&label=Follow%20%40SlowMist_Team)](https://twitter.com/slowmist_team)
[English Version](./README.md)

## 1. 加密货币威胁建模

SlowMist 使用多种模型来识别加密货币威胁。

**[ABC](https://arxiv.org/abs/1903.03422)** (基于资产的加密货币威胁建模框架):

ABC 的关键创新在于使用共谋矩阵。共谋矩阵迫使威胁模型覆盖大范围的威胁案例,同时管理这一过程以防止其过于复杂。此外,ABC 推导出系统特定的威胁类别,考虑到加密货币引入的金融方面和新资产类型。

**STRIDE** 威胁模型:

STRIDE 通常用于评估应用程序或操作系统的威胁。然而,它也可以在其他上下文中使用。STRIDE 是以下英文单词的首字母缩写:Spoofing(伪装)/Tampering(篡改)/Repudiation(抵赖)/Information disclosure(信息泄露)/Denial of service(DoS,拒绝服务)/Elevation of privilege(权限提升)。

## 2. 测试方法
测试方法如下:

| 测试方法 | 描述 |
| :---: | --- |
| 黑盒测试 | 黑盒测试从用户角度检查程序,通过提供多种输入场景并检查输出。黑盒测试人员没有内部代码的访问权限。系统交付前进行的最终验收测试是黑盒测试的一个常见例子。 |
| 灰盒测试 | 灰盒测试结合了两种方法,在软件验证中很受欢迎。在这种方法中,测试人员从用户角度检查软件,分析输入和输出。他们还可以访问源代码,并利用它来帮助设计测试。然而,他们在测试期间不会分析程序的内部工作。 |
| 白盒测试 | 白盒测试检查程序的内部逻辑结构,逐行分析代码,查找潜在错误。 |

在黑盒测试和灰盒测试中,我们使用模糊测试、脚本测试等方法,通过提供随机数据或构建特定结构的数据来测试接口或组件的鲁棒性,挖掘一些边界条件下的系统异常行为,如 bug 或性能异常。在白盒测试中,我们通过代码审查等方法分析代码的对象定义和逻辑实现,结合安全团队在已知区块链安全漏洞上的相关经验,确保代码中的关键逻辑和关键组件没有已知漏洞;同时,进入新场景和新技术的漏洞挖掘模式,发现可能的 0day 错误。

## 3. 漏洞严重性
通用漏洞评分系统(CVSS)是一个用于传达软件漏洞特征和严重性的开放框架。CVSS 由三个指标组组成:基础、时间和环境。基础组代表漏洞的内在质量,这些质量在时间和用户环境中是恒定的;时间组反映漏洞随时间变化的特征;环境组代表用户环境中独特的漏洞特征。基础指标生成的分数范围为 0 到 10,然后可以通过对时间和环境指标评分进行修改。CVSS 分数还表示为矢量字符串,矢量字符串是用于导出分数的值的压缩文本表示。

根据 CVSS 方法,SlowMist 团队开发了区块链漏洞严重性级别,如下所示:

| 级别 | 描述 |
| :---: | --- |
| 严重 | 严重级别漏洞将对区块链项目的安全产生重大影响,强烈建议修复严重漏洞。 |
|| 高级别漏洞将影响区块链项目的正常运行,强烈建议修复高风险漏洞。 |
|| 中级别漏洞将影响区块链项目的运行,建议修复中风险漏洞。 |
|| 低级别漏洞可能在某些场景下影响区块链项目的运行,建议项目方评估并考虑是否需要修复这些漏洞。 |
| 弱点 | 理论上存在安全风险,但在工程上极难重现。 |
| 建议 | 有更好的编码或架构实践。 |
| 信息 | 一些符合项目设计意图,但可能会导致用户资产损失的特性。 |

## 4. 公链安全研究

SlowMist 团队的 [区块链威胁情报](https://bti.slowmist.com/) 系统持续追踪正在发生的安全事件,并将威胁情报应用于安全审计服务中。

SlowMist 团队对公开已知的区块链安全漏洞进行分析研究,汇编整理出了[区块链常见漏洞列表](./Blockchain-Common-Vulnerability-List.md)


## 5. 区块链主网及Layer2项目安全审计

SlowMist 团队采用“**黑盒 + 灰盒**”策略,以最接近真实攻击的方式对项目进行全面的安全测试。

SlowMist 团队检查交易所最关注的漏洞,包括:

- 私钥随机数熵不足
- 私钥种子转换精度损失
- 对称加密算法的理论可靠性评估
- 对称加密算法依赖库的供应链安全
- 密钥库加密强度检测
- 哈希算法长度扩展攻击
- 哈希算法的理论可靠性评估
- 签名算法的理论可靠性评估
- secp256k1 k 值随机性安全
- secp256k1 r 值重用私钥提取攻击
- ECC 签名的可塑性攻击
- ed25519 私钥提取攻击
- Schnorr 私钥提取攻击
- ECC 曲线攻击
- Merkle树可塑性攻击(CVE-2012-2459)
- 原生特性虚假充值
- 基于合约调用的虚假充值
- 原生链交易重放攻击
- 跨链交易重放攻击
- 交易锁定攻击
- 交易费用未动态调整
- RPC 远程密钥盗窃攻击
- RPC 端口可识别性
- RPC 开放跨域漏洞导致本地钓鱼攻击
- JsonRPC 畸形包拒绝服务攻击
- RPC 数据库注入
- RPC 通信加密
- 过度的管理员权限
- 非隐私/非暗币审计
- 核心节点数量不足
- 核心节点物理位置过度集中
- P2P 节点最大连接数限制
- P2P 节点独立IP连接限制
- P2P 入站/出站连接限制
- P2P 变形攻击
- P2P 通信加密
- P2P 端口可识别性
- 共识算法潜在风险评估
- 区块时间偏移攻击
- 矿工磨矿攻击
- PoS/BFT 最终确认条件
- PoS/BFT 双重签名惩罚
- PoS/BFT 区块拒绝惩罚


## 6. 源代码安全审计

SlowMist 团队采用“**白盒**”策略,对项目进行全面的安全测试。

### 6.1 静态源代码分析

SlowMist 团队使用开源或商业代码扫描工具、AI检查代码质量,我们支持所有流行语言,如 **C/C++/Golang/Rust/Java/Nodejs/C#**

### 6.2 手动代码审查

SlowMist 团队逐行检查代码,寻找常见的编码陷阱,如:

- 状态一致性
- 失败回滚
- 数值溢出
- 参数验证
- 错误处理
- 边界检查
- 单元测试覆盖率
- 逻辑安全

## 7. 应用链安全审计

SlowMist 团队采用“**白盒**”策略,对项目进行全面的安全测试,寻找常见的编码陷阱,如:

- 重放漏洞
- 重新排序漏洞
- 竞态条件漏洞
- 权限控制漏洞
- 块数据依赖漏洞
- 函数显式可见性
- 算术精度偏差漏洞
- 恶意事件日志
- 异步调用安全

目前我们支持:
1. 基于 Cosmos-SDK 框架的区块链审计
2. 基于 Substrate 框架的区块链审计

## 8. 区块链应用审计
### 8.1 智能合约安全审计
1. [Ethereum(Solidity) 智能合约安全审计](https://www.slowmist.com/en/service-smart-contract-security-audit.html)
2. [EOS(C++) 智能合约安全最佳实践](https://github.com/slowmist/eos-smart-contract-security-best-practices)
3. [Solana(Rust) 智能合约安全最佳实践](https://github.com/slowmist/solana-smart-contract-security-best-practices)

### 8.2 其他应用
1. 零知识电路安全审计
2. 跨链桥应用安全审计
3. 浏览器插件钱包安全审计
4. 交易所安全审计

0 comments on commit 40a717d

Please sign in to comment.