Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: July 11th, 2024 - July 25th, 2024
100% of all REPORTED Findings have been addressed
All findings
8
Critical
0
High
0
Medium
0
Low
0
Informational
8
Spacemesh engaged Halborn to conduct a security assessment on their wallet web application, beginning on July 11th 2024 and ending on July 25th 2024. The security assessment was scoped to the Spacemesh wallet web application.
The Spacemesh team provided the source code to Halborn in order to conduct the security assessment. Halborn's team was using different tools to scan, detect and validate possible vulnerabilities found in the wallet (statically and dynamically), reporting the findings at the end of the engagement. The client provided a source code of the wallet, which it was used during the assessment.
The team at Halborn was provided two weeks for the engagement and assigned a full-time security engineer to verify the security of the Spacemesh wallet web application. The security engineer is a penetration testing expert with advanced knowledge in web, recon, discovery & infrastructure penetration testing and blockchain and smart-contracts security.
The purpose of this assessment is to:
Improve the security of the application by testing it both as white and black-box approaches
Identify potential security issues that could be affecting the web application
In summary, Halborn did not identify any critical issues but found some security risks, including four HIGH and five MEDIUM issues.
It was possible to leak the mnemonic phrase from the memory dump, as well as the users' password and private key under different scenarios. In addition, it was possible to bruteforce users passwords with the wallet information stored on disk.
Several huge amount transactions were submitted without having enough balance in the testing wallet, posing a security risk for the wallet and directly impacting on the integrity and consistency of the web application. Many other lacks of user input validation were detected as well.
Moreover, it was detected that Spacemesh wallet was using plaintext connections over HTTP. Other than that, the wallet web application was vulnerable to clickjacking attacks.
It was possible to wipe wallet data through browser "localStorage". Finally, some vulnerable dependencies were being used by the Spacemesh wallet.
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the penetration test. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the solution and can quickly identify flaws in it.
Several phases and associated tools were used throughout the term of the assessment, including but not limited to:
Mapping Application Content and Functionality
Private keys, mnemonic phrase, seed, and assets securely saved
Exposure of any critical information during user interactions with the blockchain and external libraries
Attacks that could impact funds, such as draining or manipulating of funds
Application logic flaws
Lack of validation on input forms and Input handling
Application cryptography
Brute force protections
Fuzzing
Test for Injection (SQL/JSON/HTML/JS/Command/Directories...)
Vulnerable or outdated dependencies.
Authentication / Authorization flaws
Testing for different types of sensitive information leakages: memory, clipboard, ...
Perform static analysis on code
Identify other potential vulnerabilities that may pose a risk to Spacemesh
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
0
Informational
8
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| PLAINTEXT SECRETS IN MEMORY | Informational | Solved - 09/05/2024 |
| INSECURE WALLET INFORMATION STORAGE | Informational | Solved - 09/05/2024 |
| BALANCE NOT CHECKED BEFORE SENDING TRANSACTION (TX) | Informational | Solved - 09/17/2024 |
| INFINITE LOOP ON Add New Network FUNCTIONALITY | Informational | Solved - 09/17/2024 |
| PLAINTEXT CONNECTIONS SUPPORTED | Informational | Solved - 07/28/2024 |
| CLICKJACKING | Informational | Solved - 07/28/2024 |
| VULNERABLE THIRD-PARTY DEPENDENCIES | Informational | Solved - 09/23/2024 |
| WALLET WIPE THROUGH LOCAL STORAGE OVERWRITE | Informational | Risk Accepted |
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Wallet + Codec
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
