Upgrade to Public Blockchain Security Audit Guide

As blockchain technology becomes more widespread, more users are conducting transactions on Layer1. This has led to noticeable issues such as slower transaction speeds and higher transaction fees on Layer1. In response, Layer2 has emerged as a solution to enhance the scalability and performance of blockchain platforms without compromising the security and decentralization characteristics of Layer1.

Over the years, the Veritas Protocol security team has accumulated extensive experience in mainnet security audits and advanced vulnerability detection techniques. We have openly shared our mainnet security audit methods with the industry, aiming to collaboratively build a safer blockchain ecosystem.

Security is an ongoing process, and audit methodologies must evolve to meet the industry's needs. Our security team continuously monitors industry trends, identifies prevalent security issues within the blockchain ecosystem, and understands user security requirements. This knowledge forms the basis for developing and optimizing security audit schemes. Recently, the Veritas Protocol security team has updated the public blockchain security audit guide to reflect current developments in Layer1 and Layer2. The specific details of the updated security audit scheme are as follows:

Scheme 1: Mainnet & layer2 project security audits

In the Mainnet & Layer2 project security audit, the Veritas Protocol security team employs a "black box + gray box" strategy to conduct rapid security testing in a manner that closely simulates real attacks. The vulnerabilities we check include:

  • Insufficient entropy of private key random numbers

  • Precision loss in private key seed conversion

  • Theoretical reliability assessment of symmetric encryption algorithms

  • Supply chain security of symmetric crypto algorithm reference libraries

  • Keystore encryption strength detection

  • Hash algorithm length extension attack

  • Theoretical reliability assessment of hash algorithms

  • Theoretical reliability assessment of signature algorithms

  • secp256k1 k-value randomness security

  • secp256k1 r-value reuse private key extraction attack

  • ECC signature malleability attack

  • ed25519 private key extraction attack

  • Schnorr private key extraction attack

  • ECC twist attack

  • Merkle-tree Malleability attack (CVE-2012–2459)

  • Native characteristic false recharge

  • Contract call-based false recharge

  • Native chain transaction replay attack

  • Cross-chain transaction replay attack

  • Transaction lock attack

  • Transaction fees not dynamically adjusted

  • RPC remote key theft attack

  • RPC port identifiability

  • RPC open cross-domain vulnerability to local phishing attacks

  • JsonRPC malformed packet denial-of-service attack

  • RPC database injection

  • RPC communication encryption

  • Excessive administrator privileges

  • Non-privacy/Non-dark Coin Audit

  • Insufficient number of core nodes

  • Excessive concentration of core node physical locations

  • P2P node maximum connection limit

  • P2P node independent IP connection limit

  • P2P inbound/outbound connection limit

  • P2P shapeshift attack

  • P2P communication encryption

  • P2P port identifiability

  • Consensus algorithm potential risk assessment

  • Block time offset attack

  • Miner grinding attack

  • PoS/BFT double-signing penalty

Scheme 2: Code-based Testing Audit

The source code security audit adopts a "white box" strategy, conducting the most comprehensive security testing on the project's relevant source code. White box auditing typically combines automated static code analysis with manual analysis.

Static Source Code Analysis

The Veritas Protocol team utilizes open-source or commercial code scanning tools for static code analysis and manually examines the identified issues. We support all popular languages, including C/C++/Golang/Rust/Java/Nodejs/C#.

The static coding issues checked by the Veritas Protocol team include:

  • Unused Variables or Imports

  • Code Formatting Issues

  • Improper Resource Closure

  • Magic Numbers

  • Potential Security Vulnerabilities

  • Integer Overflow

  • Floating-Point Precision Issues

  • Deadlocks

  • Race Conditions

  • Memory Leaks

  • Infinite Recursion

  • String Formatting Vulnerabilities

  • Divide-by-Zero Errors

  • Null Pointer Dereferencing

  • Buffer Overflow

  • Type Conversion Errors

  • Hard-Coded Keys or Sensitive Information

  • High Code Complexity

  • Code Duplication

  • Inconsistent Naming

  • Insufficient or Outdated Comments

  • High Coupling

  • Low Cohesion

  • Improper Exception Handling

  • Hard-Coding

  • Inconsistent Code Formatting

  • Performance Issues

  • Poor Testability

  • Violation of Design Principles

  • Poor Readability

  • Insecure Random Number Generation

  • Time and State Issues

  • Path Traversal

  • Outdated Dependencies

Manual Code Review

The Veritas Protocol team performs a line-by-line code review to identify coding flaws and logical errors. The vulnerabilities we focus on mainly include:

  • Cryptographic signature security

  • Account and transaction security

  • RPC security

  • P2P security

  • Consensus security

  • Business logic security

Scheme 3: Application Chain Security Audit

The Veritas Protocol team adopts the strategy of "White-box" to conduct a complete security test on the project, looking for common coding pitfalls as follows:

  • Replay Vulnerability

  • Reordering Vulnerability

  • Race Conditions Vulnerability

  • Authority Control Vulnerability

  • Block data Dependence Vulnerability

  • Explicit Visibility of Functions

  • Arithmetic Accuracy Deviation Vulnerability

  • Malicious Event Log

  • Asynchronous Call Security

Currently we support:

  • Cosmos-SDK Framework Based Blockchain Audit

  • Substrate Framework Based Blockchain Audit

PreviousSecurity Audit Checklist for Account Abstraction WalletsNextSecurity Guide for Securing X (Twitter) Account

Last updated