Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: May 6th, 2024 - May 17th, 2024
Summary
100% of all REPORTED Findings have been addressed
All findings
7
Critical
0
High
1
Medium
3
Low
1
Informational
2
Table of Contents
1. Introduction
The CoreDAO team engaged Halborn to conduct a security assessment on their 1.0.9 Release of Core Chain, beginning on Halborn to conduct a security assessment on the forwarding module, beginning on 03/18/2024 and ending on 04/26/2024. The security assessment was scoped to the sections of code that pertain to the 1.0.9 Release Updates. Commit hashes and further details can be found in the Scope section of this report.
The scope of this security assessment covers the codebase changes made between commit ID 86293f9a54c5ff33f3c40c41853b3d836931e27a and commit ID 788f951cbf4671eb60f807d58280198c77044c3c in the corresponding branch of the project repository.
2. Assessment Summary
The team at Halborn was provided one week for the engagement and assigned one full-time security engineer to verify the security of the merge requests. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.
The purpose of this assessment is to:
- Ensure that the chain operates as intended.
- Identify potential security issues with the updates for the chain implementation.
In summary, Halborn identified some security risks that were addressed and accepted by the CoreDAO team.
3. SCOPE
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Add query limit to defend against potential DDoS attacks | High | Solved - 05/16/2024 |
| Enforce topic limit early on filter criteria to prevent potential DoS attacks | Medium | Risk Accepted |
| Add sanity limit to header accessor to prevent potential DoS attacks | Medium | Risk Accepted |
| Vulnerability in Ethereum Node Allowing DoS via Malicious P2P Message | Medium | Risk Accepted |
| Vulnerability Due to Dependency on Outdated btcd Module | Low | Risk Accepted |
| Integrate Dependabot to Identify Out-of-Date Software Dependencies | Informational | Acknowledged |
| Outdated GETH Fork Version | Informational | Acknowledged |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
1.0.9 Upgrade Release
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed