Halborn, a security engineering team, has completed a security audit of Neon’s Governance Programs. The audit began on April 27, 2022 and ended on May 8, 2022. This security audit was conducted in addition to Ackee Blockchain’s audit, which was completed on July 22, 2022.
安全工程团队 Halborn 已完成对 Neon 治理计划的安全审计。审计于 2022 年 4 月 27 日开始,于 2022 年 5 月 8 日结束。本次安全审计是 Ackee Blockchain 审计 的附属,于 2022 年 7 月 22 日完成。
A final report was delivered to the Neon Labs team at the end of the audit process. In this article, we’ll go over the scope, goals, process, and significant findings of the Halborn security audit as documented in the final audit report.
最终的报告 已在审核流程结束时交付给 Neon Labs 团队。在本文中,我们将介绍最终审计报告中记录的 Halborn 安全审计的范围、目标、流程和重要发现。
安全审计的范围 (Scope of the Security Audit)
The security assessment was scoped to two Solana programs: the spl-governance-addin-fixed-weights contract and the spl-governance-addin-vesting contract. The specific commit audited was c0c3732cf0aa0b90527f54a0068367d8d03af748 of the nonlabsorg/neon-spl-governance repository. These programs are related to Neon project governance and rely on SPL-Governance and various other Solana libraries to deliver a custom governance process for participants in the Neon ecosystem.
安全评估的范围是两个 Solana 计划:spl-governance-addin-fixed-weights contract 和 spl-governance-addin-vesting contract。审核的具体提交是 c0c3732cf0aa0b90527f54a0068367d8d03af748 的 nonlabsorg/neon-splon-governance 存储库。这些程序与 Neon 项目治理相关,并依靠 SPL-Governance 和各种其他 Solana 库为 Neon 生态系统的参与者提供自定义治理流程。
External libraries and finance-related attacks were out-of-scope for the Halborn audit.
外部库和与财务相关的攻击超出了 Halborn 审计的范围。
安全审计的目的和目标 (Purpose and Goals of the Security Audit)
Neon Labs continuously emphasizes the importance of high security standards. This is why the team decided to work with Halborn, as well as Ackee Blockchain, to review Neon’s Governance contracts. The security audits were conducted to ensure that the in-scope Solana programs were functioning properly and identify potential security vulnerabilities.
Neon Labs 不断强调高安全标准的重要性。这就是团队决定与 Halborn 以及 Ackee Blockchain 合作审查 Neon治理合约的原因。进行安全审计来确保范围内的 Solana 程序正常运行并识别潜在的安全漏洞。
安全审计过程 (The Security Audit Process)
Halborn used a combination of manual code review and automated security testing to deliver an accurate auditing service while keeping efficiency, timeliness and practicality in mind. Manual testing is primarily used to uncover flaws in logic, process, and implementation. To supplement manual testing, automated testing techniques help to improve program coverage and quickly identify items that do not adhere to security best practices.
Halborn 结合使用手动代码审查和自动安全测试来提供准确的审计服务,同时j坚持效率、及时性和实用性。手动测试主要用于发现逻辑、流程和实施中的缺陷。为了补充手动测试,自动化测试技术有助于提高程序覆盖率并快速识别不符合最佳安全实践的项目。
The audit procedure and associated tools are as follows:
审计程序和相关工具如下:
-
Research the architecture, purpose, and use of the Neon platform.
研究Neon平台的架构、目的和用途。 -
Review and walkthrough the Solana program manual code review to identify logic issues.
审查和演练 Solana 程序手动代码审查来确定逻辑问题。 -
Thoroughly assess the safety and usage of critical in-scope Rust variables and functions that could lead to arithmetic vulnerabilities.
彻底评估可能导致算术漏洞的关键范围 Rust 变量和函数的安全性和使用情况。 -
Find unsafe Rust code usage with the cargo-geiger security tool, which lists statistics related to the use of unsafe Rust code present in a Rust codebase and its dependencies.
使用 cargo-geiger 安全工具查找不安全的 Rust 代码使用情况,该工具列出了与使用 Rust 代码库中存在不安全的 Rust 代码及其依赖项相关的统计信息。 -
Scan dependencies for known vulnerabilities with the cargo audit tool, which scans for vulnerabilities reported to the RustSec Advisory Database. The RustSec Advisory Database stores all vulnerabilities published in https://crates.io.
使用 cargo audit 工具扫描依赖关系中的已知漏洞,该工具会扫描报告给 RustSec 咨询数据库的漏洞。 RustSec 咨询数据库在 https://crates.io. 中存储发布的所有漏洞 -
Deploy the local cluster (solana-test-validator).
部署本地集群(solana-test-validator)。 -
Scan for common Solana vulnerabilities using soteria, a security analysis service for Solana programs that assists with the detection of well-known security issues.
使用 soteria 扫描常见的 Solana 漏洞,这是一种针对 Solana 程序的安全分析服务,可帮助检测众所周知的安全问题。
Neon EVM 安全审计的结果 (Outcome of the Neon EVM Security Audit)
Halborn ranks vulnerabilities or issues by calculating the likelihood of a security incident and the impact if an incident occurs. The likelihood and impact ratings are then ingested into a scoring framework to determine a risk’s severity level (informational, low, medium, high, and critical). The framework is useful for communicating the characteristics and consequences of technological vulnerabilities. The quantitative model ensures consistent and accurate measurement while also allowing users to see the underlying vulnerability characteristics considered when prioritizing risks.
Halborn 通过计算安全事件的 likelihood 和事件发生时的 impact 来对漏洞或问题进行排名。然后将可能性和影响评级纳入评分框架,以确定风险的严重程度(信息、低、中、高和严重)。该框架对于传达技术漏洞的特征和后果很有用。定量模型确保了一致和准确的测量,同时还允许用户在判定风险时查看考虑的对应对应风险特征。
As an output to the security audit, Halborn identified two main risks: (HAL-01) Cargo Overflow Checks Missing and (HAL-02) Outdated Dependencies Version. Both risks have now been addressed by the Neon Labs team. Additional details can be found below.
作为安全审计的输出,Halborn 确定了两个主要风险:(HAL-01) Cargo Overflow Checks Missing 和 (HAL-02) Outdated Dependencies Version. 这两个风险现已由Neon Lab团队解决。可以在下面找到更多详细信息。
Cargo溢出检查缺失 (HAL-01)-Cargo Overflow Checks Missing (HAL-01)
It was observed that there is no overflow-checks=true in any Cargo.toml file. By default, overflow checks are disabled in optimized release builds. Therefore, if there is an overflow in the release build, it will pass silently, causing unexpected behavior of an application. Even when checked arithmetic is used (checked_*), it is still recommended to have those checks in Cargo.toml.
观察到在任何 Cargo.toml 文件中都没有 overflow-checks=true。默认情况下,溢出检查在优化的发布版本中被禁用。因此,如果发布构建中出现溢出,它将默默通过,从而导致应用程序出现意外行为。即使使用检查算法(checked_*),仍然建议在 Cargo.toml 中进行检查。
The finding was rated as low-risk and has since been addressed. The Neon Labs team fixed the issue by adding overflows-check=true in the workspace Cargo.toml file in commit 5425078d1c45c62f92b5bb90492bbaeac751ec7b.
该发现被评为低风险,并已得到解决。 Neon Labs 团队通过提交 5425078d1c45c62f92b5bb90492bbaeac751ec7b 向工作区的Cargo.toml 文件中添加 overflows-check=true 解决了这个问题。
过时的依赖版本 (HAL-02)-Outdated Dependencies Version (HAL-02)
Software is continuously updated for various reasons. Drivers introduce updates including adding new features, removing old features, and patching bugs and vulnerabilities. The Halborn team detected that the versions of spl-governance-addin-vesting and spl-governance-addin-fixed-wights packages assessed referenced outdated versions of solana-program and spl-token, which could cause logic flows to malfunction.
由于各种原因,软件不断更新。驱动程序引入更新,包括添加新功能、删除旧功能以及修补错误和漏洞。 Halborn 团队检测到 spl-governance-addin-vesting 和 spl-governance-addin-fixed-wights 软件包的版本,评估了引用的 solana-program 和 spl-token 的过时版本,这可能导致逻辑流程出现故障。
The finding was rated as an informational risk and has since been addressed. The Neon Labs team fixed the issue by updating solana-program and spl-token to their latest versions in commit 5425078d1c45c62f92b5bb90492bbaeac751ec7b.
该发现被评为信息风险(知会级别),并已得到解决。 Neon Labs 团队通过提交 5425078d1c45c62f92b5bb90492bbaeac751ec7b 将 solana-program 和 spl-token 更新到最新版本来解决此问题。
结论 (Conclusion)
Thank you for taking the time to review the outcome of the Halborn security audit. If you have any questions about the security audit or the associated findings, don’t hesitate to reach out. You can contact the team via Discord. Lastly, stay connected with the team on Twitter, GitHub, YouTube, and Medium for more development updates and announcements.
感谢您抽出宝贵时间查看 Halborn 安全审计的结果。如果您对安全审计或相关调查结果有任何疑问,请随时与我们联系。您可以通过 Discord 联系团队。最后,在 Twitter、GitHub、YouTube 和 Medium上与团队保持联系,了解更多开发更新和公告。