Tangle Network Code Review - Tangle Tools

1. Introduction

Tangle Network engaged Halborn to perform a security assessment of their Rust codebase from Oct. 15, 2024, to Dec. 13, 2024. The assessment focused on the substrate code, precompiled code, and pallets listed in the provided GitHub repository and included relevant commit hashes. More details can be found in the Scope section of this report.

2. Assessment Summary

The Halborn team was allocated 8 weeks and 3 days for the engagement and assigned two full-time security engineers to assess the security of the substrate pallets and the overall codebase. The security engineers are experts in blockchain and smart contract security, with advanced skills in penetration testing and smart contract auditing, as well as extensive knowledge of various blockchain protocols.

The purpose of this assessment is to:

• Ensure that the codebase functions operate as intended, including properly implementing staking, pooling, reward mechanisms, and Ethereum compatibility features.

• Identify potential security issues within the codebase, such as:

  • Cryptographic vulnerabilities (e.g., signature malleability, replay attacks, or misuse of hashing functions).

  • Logical inconsistencies in key functionalities like staking, unbonding, reward calculations.

  • Dependency-related risks from external crates and libraries.

  • Insufficient input validation or unchecked operations may lead to panics, overflows, or security exploits.

• Verify that the code adheres to best practices for blockchain security, such as preventing unauthorized access, maintaining data integrity, and ensuring predictable execution under edge cases and adverse conditions.

• Assess the implementation of Ethereum precompiles, proxy types, and EVM integration to ensure proper validation, safe asset handling, and gas usage efficiency.

3. Test Approach and Methodology

The Halborn team performed a combination of manual code review and automated security testing to ensure a comprehensive and efficient assessment of the Tangle codebase. This approach balanced efficiency, timeliness, practicality, and accuracy to address the assessment scope. Manual testing was used to uncover flaws in logic, process, and implementation, while automated tools were employed to quickly identify deviations from security best practices. The following phases and associated tools were used throughout the assessment:

• Research on the architecture, purpose, and usage of the Tangle network.

• Manual code walkthroughs to understand the design of key modules, including staking, pooling, reward distribution, and EVM precompiles, while identifying potential vulnerabilities.

• Assessment of Rust functions and variables for arithmetic vulnerabilities, such as overflow/underflow or unsafe computations.

• Audit of cryptographic protocols and primitives, including ECDSA signature recovery and Ethereum address mapping, to ensure compliance with industry standards and robustness against attacks.

• Scanning Rust crates with Cargo Audit to identify outdated dependencies, known vulnerabilities, and insecure versions of third-party libraries.

• Analyzing unsafe code usage with Cargo Geiger, ensuring minimal reliance on unsafe Rust features to reduce risks of memory safety vulnerabilities.

• Validation of error handling and logging practices to prevent unintentional exposure of sensitive information or system behavior.