Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: September 2nd, 2024 - September 20th, 2024
100% of all REPORTED Findings have been addressed
All findings
31
Critical
3
High
1
Medium
5
Low
5
Informational
17
Concrete engaged our security analysis team to conduct a comprehensive security audit of their smart contract ecosystem. The primary aim was to meticulously assess the security architecture of the smart contracts to pinpoint vulnerabilities, evaluate existing security protocols, and offer actionable insights to bolster security and operational efficacy of their smart contract framework. Our assessment was strictly confined to the smart contracts provided, ensuring a focused and exhaustive analysis of their security features.
Our engagement with Blueprint spanned a 3-week period, during which we dedicated one full-time security engineer equipped with extensive experience in blockchain security, advanced penetration testing capabilities, and profound knowledge of various blockchain protocols. The objectives of this assessment were to:
- Verify the correct functionality of smart contract operations.
- Identify potential security vulnerabilities within the smart contracts.
- Provide recommendations to enhance the security and efficiency of the smart contracts.
In summary, Halborn identified several security concerns that were mostly addressed by the Concrete team.
Our testing strategy employed a blend of manual and automated techniques to ensure a thorough evaluation. While manual testing was pivotal for uncovering logical and implementation flaws, automated testing offered broad code coverage and rapid identification of common vulnerabilities. The testing process included:
- A detailed examination of the smart contracts' architecture and intended functionality.
- Comprehensive manual code reviews and walkthroughs.
- Functional and connectivity analysis utilizing tools like Solgraph.
- Customized script-based manual testing and testnet deployment using Foundry.
This executive summary encapsulates the pivotal findings and recommendations from our security assessment of Blueprint smart contract ecosystem. By addressing the identified issues and implementing the recommended fixes, Blueprint can significantly boost the security, reliability, and trustworthiness of its smart contract platform.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
3
High
1
Medium
5
Low
5
Informational
17
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Incorrect Balance Updates in ERC721Logic and Internals | Critical | Solved - 09/26/2024 |
| Lack of Access Control in Pong handlers | Critical | Solved - 09/19/2024 |
| Missing Access Control in Policy termination blueprint | Critical | Solved - 09/19/2024 |
| Incorrect Namespace Used On Boolean Commit | High | Solved - 09/19/2024 |
| Missing Validation for Loan Owner | Medium | Risk Accepted |
| Lack of Validation for AccessControlManager Contract in ConcreteStorage | Medium | Solved - 09/19/2024 |
| Missing Check for Response Handler Address | Medium | Solved - 09/19/2024 |
| Missing Handling of DELETE and INCREMENT | Medium | Risk Accepted |
| Missing operations in config and registry pong handlers. | Medium | Solved - 09/19/2024 |
| Missing Name Initialization in ERC721Logic Constructor | Low | Solved - 09/19/2024 |
| Non-Atomic packet ID May Result in Collisions | Low | Not Applicable |
| Missing Underflow Handling | Low | Risk Accepted |
| Single step ownership transfer process | Low | Risk Accepted |
| Missing Validation for Consistent chainId and eid | Low | Risk Accepted |
| Lack of Configurability in MultiSigWallet | Informational | Acknowledged |
| Missing Use of Internal ERC721 Functions | Informational | Solved - 09/19/2024 |
| Unused Config Pong Handler | Informational | Solved - 09/19/2024 |
| Use of Hardcoded Values Instead of Enums | Informational | Solved - 09/26/2024 |
| Inefficient Role Checking | Informational | Solved - 09/19/2024 |
| Unnecessary immutable namespace variable | Informational | Solved - 09/26/2024 |
| Hardcoded Value Instead of Enum | Informational | Solved - 09/19/2024 |
| Lack of Distinction Between DELETE and Setting Value to 0 | Informational | Acknowledged |
| Entropy Reduction May Lead to Collisions | Informational | Acknowledged |
| Potential Hash Collisions in Namespace Constants Due to 4-Byte Limitation | Informational | Acknowledged |
| Unused Function in ConfigManager | Informational | Solved - 09/19/2024 |
| Unused Functions in RegistryManager | Informational | Solved - 09/19/2024 |
| Empty Packet Gap | Informational | Not Applicable |
| Redundant onlyRole Modifier | Informational | Solved - 09/19/2024 |
| Inefficient Placement of amountSupply check | Informational | Solved - 09/19/2024 |
| Lack of Events for State Changes | Informational | Acknowledged |
| Ownership Assumptions | Informational | Acknowledged |
//Critical
//Critical
//Critical
//High
//Medium
//Medium
//Medium
//Medium
//Medium
//Low
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
HUB v1
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
