Prepared by:
HALBORN
Last Updated 04/29/2025
Date of Engagement: February 10th, 2025 - April 3rd, 2025
100% of all REPORTED Findings have been addressed
All findings
13
Critical
0
High
0
Medium
0
Low
3
Informational
10
Securitize engaged Halborn to conduct a security assessment on their Solana Validator program beginning on February 10th, 2025 and ending on March 3rd, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository rwa-rbac, commit hashes, and further details can be found in the Scope section of this report.
The Securitize team is releasing rwa-rbac, a program that acts as a facade for all RWA-related programs, enforcing role-based permissions before allowing access to critical functions via CPI (Cross-Program Invocation). The Securitize team is also releasing rwa-imr , a program that extends investor data without bloating the IdentityAccount in the Identity Registry. It relies on the Identity Registry for authority validation, as all instructions execute a CPI into the IRP.
Halborn was provided 16 days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the codebase.
Validate that all the requirements presented by the client are strictly implemented on code
Verify that all the necessary functions are implemented to be accessed through RBAC/CPI
Check that the role-based access control implemented in the RBAC program follows a secure methodology.
In summary, Halborn identified some improvements to reduce the likelihood and impact of some risks, which were completely addressed by the Securitize team. The main ones were the following:
Implement the creation of an AssetController through CPI when creating an AsssetAccessController.
Implement RBAC/CPI enforcement for the CreatePolicyEngine and CreateTrackerAccount entry points in the PolicyEngine program.
Prevent the AssetAccessController's admin to have the ability to invoke all RBAC/CPI entry point.
Halborn performed a combination of manual review and security testing based on scripts to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:
Research into architecture and purpose.
Differences analysis using GitLens to have a proper view of the differences between the mentioned commits
Graphing out functionality and programs logic/connectivity/functions along with state changes
Halborn used automated security scanners to assist with the detection of well-known security issues and vulnerabilities. Among the tools used was cargo-audit, a security scanner for vulnerabilities reported to the RustSec Advisory Database. All vulnerabilities published in https://crates.io are stored in a repository named The RustSec Advisory Database. cargo audit is a human-readable version of the advisory database which performs a scanning on Cargo.lock. Security Detections are only in scope. All vulnerabilities shown here were already disclosed in the above report. However, to better assist the developers maintaining this code, the reviewers are including the output with the dependencies tree, and this is included in the cargo audit output to better know the dependencies affected by unmaintained and vulnerable crates.
ID | package | Short Description |
|---|---|---|
RUSTSEC-2022-0093 | ed25519-dalek | Double Public Key Signing Function Oracle Attack on |
RUSTSEC-2024-0344 | curve25519-dalek | Timing variability in |
RUSTSEC-2024-0402 | hashbrown | Borsh serialization of HashMap is non-canonical |
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
3
Informational
10
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Lack of CPI implementation for rwa-token/asset_controller/create entry point | Low | Solved - 03/04/2025 |
| Missing RBAC enforcement for some instructions of RWA programs | Low | Solved - 03/06/2025 |
| Excessive authority for AccessController's admin for Securitize’s use case | Low | Solved - 03/04/2025 |
| update_fields does not enforce maximum allowed flags for UserRole permissions | Informational | Solved - 03/04/2025 |
| RBAC Master Role Uniqueness Not Enforced | Informational | Solved - 03/12/2025 |
| WithdrawExcessRent becomes unusable when admin is set to Pubkey::default | Informational | Solved - 03/06/2025 |
| Lack of checking identity_account and identity_registry for investor in some entry points of the Identity Metadata Registry program | Informational | Solved - 03/06/2025 |
| Redundant constraint on authorized_user_role.id in CreateUserRole entry point | Informational | Solved - 03/06/2025 |
| has_any_admin_flag lacks a unit test covering all roles simultaneously | Informational | Solved - 03/06/2025 |
| has_medici_flag lacks unit tests for multiple scenarios | Informational | Solved - 03/06/2025 |
| Instruction discriminators are not validated for uniqueness | Informational | Solved - 03/04/2025 |
| Updates to RBAC CPI Entry Points for Compatibility with RWA Token Programs | Informational | Solved - 03/05/2025 |
| Unnecessary Account Growth in assignUserRole Entry Point | Informational | Solved - 03/04/2025 |
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
RWA/RBAC
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
