Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: July 30th, 2024 - August 2nd, 2024
100% of all REPORTED Findings have been addressed
All findings
9
Critical
0
High
0
Medium
0
Low
3
Informational
6
Solayer team engaged Halborn to conduct a security assessment on their Endogenous AVS Solana program beginning on July 30th, 2024, and ending on August, 5th, 2024. The security assessment was scoped to the Solana Program provided in endoavs-program GitHub repository. Commit hashes and further details can be found in the Scope section of this report.
The Endogenous AVS program takes the sSOL liquid mint and transforms it into a synthetic asset representing the delegation to a particular project, using the delegate instruction. These mints can be undelegated instantly if there is a need for trade, through the undelegate instruction.
Partners will be able to create an endoavs account through the create instruction, passing a mint address which they can customize. The authority can customize the AVS token name, symbol, uri/url and metadata of these assets through instructions. The authority can also transfer the authority to other account, which is irrevocable.
These assets use the same liquidity as the underlying sSOL. Ultimately, the goal is to enable Solayer to provide stake-weighted quality of service to the AVS.
Halborn was provided 6 days for the engagement and assigned one full-time security engineer to review the security of the Solana Program in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the Endogenous AVS Solana Program.
Ensure that the program's functionality operates as intended.
In summary, Halborn identified some low-severity and informational security issues, that were addressed and acknowledged by the Solayer team. The main ones were the following:
System Flooding and Spamming.
Lack of two-step authority transfer.
Decimals should be enforced.
Missing URI and URL prefix validation.
Missing Metadata size validation.
Missing Event emissions.
Outdated dependencies.
Overall, the program in-scope is adherent to Solana's best-practices and carries consistent code quality.
Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.
The following phases and associated tools were used throughout the term of the assessment:
Research into the architecture, purpose, and use of the platform.
Manual program source code review to identify business logic issues.
Mapping out possible attack vectors.
Thorough assessment of safety and usage of critical Rust variables and functions in scope that could lead to arithmetic vulnerabilities.
Scanning dependencies for known vulnerabilities (cargo audit).
Local runtime testing (anchor test).
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
3
Informational
6
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| System Flooding and Spamming | Low | Solved - 08/11/2024 |
| Missing URI and URL prefix validation | Low | Risk Accepted |
| Missing Metadata size validation | Low | Risk Accepted |
| Lack of two-step Authority transfer | Informational | Acknowledged |
| Missing Event emissions | Informational | Acknowledged |
| Lack of Zero Amount validation | Informational | Acknowledged |
| Un-sanitized on-chain state can be used as attack vector | Informational | Acknowledged |
| Use of 'msg!' consumes additional computational budget | Informational | Acknowledged |
| Outdated dependencies | Informational | Solved - 08/11/2024 |
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Endogenous AVS
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
