SlideShare a Scribd company logo

Sacred CertiK Security Assessment

3
31bridgeport

Smart Contracts have been audited!

Technology
1 of 15
Download to read offline
Security Assessment Sacred May 6th, 2021
Summary This report has been prepared for Sacred smart contracts, to discover issues and vulnerabilities in the source code of their Smart Contract as well as any contract dependencies that were not part of an officially recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques. The auditing process pays special attention to the following considerations: Testing the smart contracts against both common and uncommon attack vectors. Assessing the codebase to ensure compliance with current best practices and industry standards. Ensuring contract logic meets the specifications and intentions of the client. Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders. Thorough line-by-line manual review of the entire codebase by industry experts. The security assessment resulted in findings that ranged from critical to informational. We recommend addressing these findings to ensure a high level of security standards and industry practices. We suggest recommendations that could better serve the project from the security perspective: Enhance general coding practices for better structures of source codes; Add enough unit tests to cover the possible use cases given they are currently missing in the repository; Provide more comments per each function for readability, especially contracts are verified in public; Provide more transparency on privileged activities once the protocol is live. Sacred Security Assessment
Overview Project Summary Project Name Sacred Description This is a variant of Tornado cash compatible with the Conflux network. Platform Conflux Language Solidity Codebase https://github.com/Sacred-Finance/sacred-contracts/tree/main/contracts Commits 6eaac300f6b37f607b903bd1e9d49e0528710f7e Audit Summary Delivery Date May 06, 2021 Audit Methodology Static Analysis, Manual Review Key Components Vulnerability Summary Total Issues 6 Critical 0 Major 0 Medium 0 Minor 0 Informational 6 Discussion 0 Sacred Security Assessment
Audit Scope ID file SHA256 Checksum CFX CFXSacred.sol d6cae5a3d4d01c0d42c4ebdf5514f990225b49f99b23fd053b5ee222531f9230 ERC ERC20Sacred.sol 129f655b9e2cbbaef39a529defe9aaccd1e1c0da3914f9d388b592f8eaf234a4 ETH ETHSacred.sol bd5de79c80478b34003640ebc3fc54027c08ecbd5d282844a4df9dc8d700c328 MSS Migrations.sol c6b1aee03b74582fc0355ab902e2a44eb5ec28c151ccb58ded6e5410c1576775 MSC Miner.sol 707d325733a4cbe1f9b296c3b9994624a028593d31873c6ecd2d1d1a7ac0acc2 RSS RewardSwap.sol 84155e35fdbe8885fa9af7b4aa4462393bfa24d638134ff3c9277a6b2baeca47 SSS Sacred.sol 0b11bad51926f242d9c64be18b85298bf9d813c38a8e29fcaad9a811685516cc STS SacredTrees.sol 47a739335837ee5aee01c902ddb967170589ceea4f88f3d3e4e3adbdf386310b Sacred Security Assessment
Findings ID Title Category Severity Status ERC-01 Missing Some Important Checks Logical Issue Informational Acknowledged MTW-01 Proper Usage of public and external Type Optimization Informational Acknowledged SSC-01 Pragma Version Not locked Implementation Informational Acknowledged SSS-01 Missing Some Important Checks Logical Issue Informational Acknowledged SSS-02 Missing Emit Events Optimization Informational Acknowledged SSS-03 Discussion on Business Model Logical Issue Informational Resolved Sacred Security Assessment 6 Total Issues Critical 0 (0.00%) Major 0 (0.00%) Medium 0 (0.00%) Minor 0 (0.00%) Informational 6 (100.00%) Discussion 0 (0.00%)
ERC-01 | Missing Some Important Checks Category Severity Location Status Logical Issue Informational ERC20Sacred.sol: 20 Acknowledged Description Some functions are missing address zero checks. Recommendation We advise that add a zero address check, for example: function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; } } Sacred Security Assessment
MTW-01 | Proper Usage of public and external Type Category Severity Location Status Optimization Informational utils/MerkleTreeWithHistory.sol: 133~135 Acknowledged Description The public functions that are never called by the contract should be declared external . When the inputs are arrays the external functions are more efficient than public functions. Recommendation We advise that use the external attribute for functions never called from the contract. Sacred Security Assessment
SSC-01 | Pragma Version Not locked Category Severity Location Status Implementation Informational Acknowledged Description Contract uses pragma solidity ^0.60; which is not recommend.Pragma should be locked to specific compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler, which may have higher risks of undiscovered bugs. Recommendation Deploy with any of the following Solidity versions: · · 0.5 0.5.16 .16 - - 0.5 0.5.17 .17 · · 0.6 0.6.11 .11 - - 0.6 0.6.12 .12 · · 0.7 0.7.5 .5 - - 0.7 0.7.6 .6 Consider using a specific compiler version above. Sacred Security Assessment
SSS-01 | Missing Some Important Checks Category Severity Location Status Logical Issue Informational Sacred.sol: 203~205, 71 Acknowledged Description Some functions are missing address zero checks. Recommendation We advise that add a zero address check, for example: function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; } } Sacred Security Assessment
SSS-02 | Missing Emit Events Category Severity Location Status Optimization Informational Sacred.sol: 203~206 Acknowledged Description Several sensitive actions are defined without event declarations. Such as function changeOperator in Sacred.sol . Recommendation We advise that add events for sensitive action and emit it in the functions like below. function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; emit emit changeOperator changeOperator( (_newOperator _newOperator) ); ; } } Sacred Security Assessment
SSS-03 | Discussion on Business Model Category Severity Location Status Logical Issue Informational Sacred.sol: 25 Resolved Description What is the Sacred's business model? Is it same as the Bitcoin Fog? Alleviation The team responses that the space Sacred in is very tricky especially from a regulatiory point of view, but the team is mitigating risk by controlling the size of the deposits that are made on Sacred and working on innovative ways in the future so note's can be used to transact privately but do so in a compliant way. Sacred Security Assessment
Appendix Finding Categories Centralization / Privilege Centralization / Privilege findings refer to either feature logic or implementation of components that act against the nature of decentralization, such as explicit ownership or specialized access roles in combination with a mechanism to relocate funds. Gas Optimization Gas Optimization findings do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction. Mathematical Operations Mathematical Operation findings relate to mishandling of math formulas, such as overflows, incorrect operations etc. Logical Issue Logical Issue findings detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works. Control Flow Control Flow findings concern the access control imposed on functions, such as owner-only functions being invoke-able by anyone under certain circumstances. Volatile Code Volatile Code findings refer to segments of code that behave unexpectedly on certain edge cases that may result in a vulnerability. Data Flow Data Flow findings describe faults in the way data is handled at rest and in memory, such as the result of a struct assignment operation affecting an in-memory struct rather than an in-storage one. Language Specific Sacred Security Assessment
Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of private or delete. Coding Style Coding Style findings usually do not affect the generated byte-code but rather comment on how to make the codebase more legible and, as a result, easily maintainable. Inconsistency Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function. Magic Numbers Magic Number findings refer to numeric literals that are expressed in the codebase in their raw format and should otherwise be specified as constant contract variables aiding in their legibility and maintainability. Compiler Error Compiler Error findings refer to an error in the structure of the code that renders it impossible to compile using the specified version of the project. Checksum Calculation Method The "Checksum" field in the "Audit Scope" section is calculated as the SHA-256 (Secure Hash Algorithm 2 with digest size of 256 bits) digest of the content of each file hosted in the listed source repository under the specified commit. The result is hexadecimal encoded and is the same as the output of the Linux "sha256sum" command against the target file. Sacred Security Assessment
Disclaimer This report is subject to the terms and conditions (including without limitation, description of services, confidentiality, disclaimer and limitation of liability) set forth in the Services Agreement, or the scope of services, and terms and conditions provided to the Company in connection with the Agreement. This report provided in connection with the Services set forth in the Agreement shall be used by the Company only to the extent permitted under the terms and conditions set forth in the Agreement. This report may not be transmitted, disclosed, referred to or relied upon by any person for any purposes without CertiK’s prior written consent. This report is not, nor should be considered, an “endorsement” or “disapproval” of any particular project or team. This report is not, nor should be considered, an indication of the economics or value of any “product” or “asset” created by any team or project that contracts CertiK to perform a security assessment. This report does not provide any warranty or guarantee regarding the absolute bug-free nature of the technology analyzed, nor do they provide any indication of the technologies proprietors, business, business model or legal compliance. This report should not be used in any way to make decisions around investment or involvement with any particular project. This report in no way provides investment advice, nor should be leveraged as investment advice of any sort. This report represents an extensive assessing process intending to help our customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology. Blockchain technology and cryptographic assets present a high level of ongoing risk. CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies, and in no way claims any guarantee of security or functionality of the technology we agree to analyze. Sacred Security Assessment
About Founded in 2017 by leading academics in the field of Computer Science from both Yale and Columbia University, CertiK is a leading blockchain security company that serves to verify the security and correctness of smart contracts and blockchain-based protocols. Through the utilization of our world-class technical expertise, alongside our proprietary, innovative tech, we’re able to support the success of our clients with best-in-class security, all whilst realizing our overarching vision; provable trust for all throughout all facets of blockchain. Sacred Security Assessment

Recommended

Sacred CertiK security assessment for Sacred
Sacred CertiK security assessment for SacredSacred CertiK security assessment for Sacred
Sacred CertiK security assessment for Sacred31bridgeport
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachIRJET Journal
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
 
Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Bogusz Jelinski
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0KennyNajarro2
 
Static analysis by tools
Static analysis by toolsStatic analysis by tools
Static analysis by toolswiny setya ningrum
 
growthbotics audit.pdf
growthbotics audit.pdfgrowthbotics audit.pdf
growthbotics audit.pdfWilson Kao
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPRoy Blackstone
 

Recommended

Sacred CertiK security assessment for Sacred
Sacred CertiK security assessment for SacredSacred CertiK security assessment for Sacred
Sacred CertiK security assessment for Sacred31bridgeport
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachIRJET Journal
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
 
Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Bogusz Jelinski
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0KennyNajarro2
 
Static analysis by tools
Static analysis by toolsStatic analysis by tools
Static analysis by toolswiny setya ningrum
 
growthbotics audit.pdf
growthbotics audit.pdfgrowthbotics audit.pdf
growthbotics audit.pdfWilson Kao
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPRoy Blackstone
 
1506.08725v1
1506.08725v11506.08725v1
1506.08725v1Sandeep Sivanandan
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
Ambisafe smart contracts audit
Ambisafe smart contracts auditAmbisafe smart contracts audit
Ambisafe smart contracts auditYar Naumenko
 
Essential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD SuiteEssential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD SuiteAutoRABIT
 
term paper for cbd models
term paper for cbd modelsterm paper for cbd models
term paper for cbd modelsSukhdeep Singh
 
6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test AutomationAutoRABIT
 
System verilog important
System verilog importantSystem verilog important
System verilog importantelumalai7
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Delivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationDelivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationAspire Systems
 
Constructing Enterprise Applications
Constructing Enterprise ApplicationsConstructing Enterprise Applications
Constructing Enterprise ApplicationsGem WeBlog
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsAutomated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
 
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainGBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainZeeve
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisCheckmarx
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code qualityMikhailVladimirov
 
Code coverage & tools
Code coverage & toolsCode coverage & tools
Code coverage & toolsRajesh Kumar
 
RTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 VerificationRTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 VerificationTarek Salah
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
Unit iv
Unit ivUnit iv
Unit ivSangeetha Rangarajan
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

More Related Content

Similar to Sacred CertiK Security Assessment

Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
Ambisafe smart contracts audit
Ambisafe smart contracts auditAmbisafe smart contracts audit
Ambisafe smart contracts auditYar Naumenko
 
Essential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD SuiteEssential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD SuiteAutoRABIT
 
term paper for cbd models
term paper for cbd modelsterm paper for cbd models
term paper for cbd modelsSukhdeep Singh
 
6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test AutomationAutoRABIT
 
System verilog important
System verilog importantSystem verilog important
System verilog importantelumalai7
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Delivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationDelivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationAspire Systems
 
Constructing Enterprise Applications
Constructing Enterprise ApplicationsConstructing Enterprise Applications
Constructing Enterprise ApplicationsGem WeBlog
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsAutomated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
 
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainGBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainZeeve
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisCheckmarx
 
Code coverage & tools
Code coverage & toolsCode coverage & tools
Code coverage & toolsRajesh Kumar
 
RTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 VerificationRTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 VerificationTarek Salah
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 

Similar to Sacred CertiK Security Assessment (20)

1506.08725v1
1506.08725v11506.08725v1
1506.08725v1
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
Ambisafe smart contracts audit
Ambisafe smart contracts auditAmbisafe smart contracts audit
Ambisafe smart contracts audit
 
Essential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD SuiteEssential Aspects of a Salesforce CI/CD Suite
Essential Aspects of a Salesforce CI/CD Suite
 
term paper for cbd models
term paper for cbd modelsterm paper for cbd models
term paper for cbd models
 
6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation6 Essential Types of Salesforce Test Automation
6 Essential Types of Salesforce Test Automation
 
System verilog important
System verilog importantSystem verilog important
System verilog important
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Delivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationDelivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous Integration
 
Constructing Enterprise Applications
Constructing Enterprise ApplicationsConstructing Enterprise Applications
Constructing Enterprise Applications
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsAutomated Formal Verification of SystemC/C++ High-Level Synthesis Models
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
 
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainGBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchain
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
 
Code coverage & tools
Code coverage & toolsCode coverage & tools
Code coverage & tools
 
RTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 VerificationRTCA DO-254 Guidance - Accelerating DO-254 Verification
RTCA DO-254 Guidance - Accelerating DO-254 Verification
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
Unit iv
Unit ivUnit iv
Unit iv
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Sacred CertiK Security Assessment

  • 2. Summary This report has been prepared for Sacred smart contracts, to discover issues and vulnerabilities in the source code of their Smart Contract as well as any contract dependencies that were not part of an officially recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques. The auditing process pays special attention to the following considerations: Testing the smart contracts against both common and uncommon attack vectors. Assessing the codebase to ensure compliance with current best practices and industry standards. Ensuring contract logic meets the specifications and intentions of the client. Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders. Thorough line-by-line manual review of the entire codebase by industry experts. The security assessment resulted in findings that ranged from critical to informational. We recommend addressing these findings to ensure a high level of security standards and industry practices. We suggest recommendations that could better serve the project from the security perspective: Enhance general coding practices for better structures of source codes; Add enough unit tests to cover the possible use cases given they are currently missing in the repository; Provide more comments per each function for readability, especially contracts are verified in public; Provide more transparency on privileged activities once the protocol is live. Sacred Security Assessment
  • 3. Overview Project Summary Project Name Sacred Description This is a variant of Tornado cash compatible with the Conflux network. Platform Conflux Language Solidity Codebase https://github.com/Sacred-Finance/sacred-contracts/tree/main/contracts Commits 6eaac300f6b37f607b903bd1e9d49e0528710f7e Audit Summary Delivery Date May 06, 2021 Audit Methodology Static Analysis, Manual Review Key Components Vulnerability Summary Total Issues 6 Critical 0 Major 0 Medium 0 Minor 0 Informational 6 Discussion 0 Sacred Security Assessment
  • 4. Audit Scope ID file SHA256 Checksum CFX CFXSacred.sol d6cae5a3d4d01c0d42c4ebdf5514f990225b49f99b23fd053b5ee222531f9230 ERC ERC20Sacred.sol 129f655b9e2cbbaef39a529defe9aaccd1e1c0da3914f9d388b592f8eaf234a4 ETH ETHSacred.sol bd5de79c80478b34003640ebc3fc54027c08ecbd5d282844a4df9dc8d700c328 MSS Migrations.sol c6b1aee03b74582fc0355ab902e2a44eb5ec28c151ccb58ded6e5410c1576775 MSC Miner.sol 707d325733a4cbe1f9b296c3b9994624a028593d31873c6ecd2d1d1a7ac0acc2 RSS RewardSwap.sol 84155e35fdbe8885fa9af7b4aa4462393bfa24d638134ff3c9277a6b2baeca47 SSS Sacred.sol 0b11bad51926f242d9c64be18b85298bf9d813c38a8e29fcaad9a811685516cc STS SacredTrees.sol 47a739335837ee5aee01c902ddb967170589ceea4f88f3d3e4e3adbdf386310b Sacred Security Assessment
  • 5. Findings ID Title Category Severity Status ERC-01 Missing Some Important Checks Logical Issue Informational Acknowledged MTW-01 Proper Usage of public and external Type Optimization Informational Acknowledged SSC-01 Pragma Version Not locked Implementation Informational Acknowledged SSS-01 Missing Some Important Checks Logical Issue Informational Acknowledged SSS-02 Missing Emit Events Optimization Informational Acknowledged SSS-03 Discussion on Business Model Logical Issue Informational Resolved Sacred Security Assessment 6 Total Issues Critical 0 (0.00%) Major 0 (0.00%) Medium 0 (0.00%) Minor 0 (0.00%) Informational 6 (100.00%) Discussion 0 (0.00%)
  • 6. ERC-01 | Missing Some Important Checks Category Severity Location Status Logical Issue Informational ERC20Sacred.sol: 20 Acknowledged Description Some functions are missing address zero checks. Recommendation We advise that add a zero address check, for example: function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; } } Sacred Security Assessment
  • 7. MTW-01 | Proper Usage of public and external Type Category Severity Location Status Optimization Informational utils/MerkleTreeWithHistory.sol: 133~135 Acknowledged Description The public functions that are never called by the contract should be declared external . When the inputs are arrays the external functions are more efficient than public functions. Recommendation We advise that use the external attribute for functions never called from the contract. Sacred Security Assessment
  • 8. SSC-01 | Pragma Version Not locked Category Severity Location Status Implementation Informational Acknowledged Description Contract uses pragma solidity ^0.60; which is not recommend.Pragma should be locked to specific compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler, which may have higher risks of undiscovered bugs. Recommendation Deploy with any of the following Solidity versions: · · 0.5 0.5.16 .16 - - 0.5 0.5.17 .17 · · 0.6 0.6.11 .11 - - 0.6 0.6.12 .12 · · 0.7 0.7.5 .5 - - 0.7 0.7.6 .6 Consider using a specific compiler version above. Sacred Security Assessment
  • 9. SSS-01 | Missing Some Important Checks Category Severity Location Status Logical Issue Informational Sacred.sol: 203~205, 71 Acknowledged Description Some functions are missing address zero checks. Recommendation We advise that add a zero address check, for example: function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; } } Sacred Security Assessment
  • 10. SSS-02 | Missing Emit Events Category Severity Location Status Optimization Informational Sacred.sol: 203~206 Acknowledged Description Several sensitive actions are defined without event declarations. Such as function changeOperator in Sacred.sol . Recommendation We advise that add events for sensitive action and emit it in the functions like below. function function changeOperator changeOperator( (address address _newOperator _newOperator) ) external external onlyOperator onlyOperator { { require require( (_newOperator _newOperator != != address address( (0 0) ), , "ERR_ZERO_ADDRESS" "ERR_ZERO_ADDRESS") ); ; operator operator = = _newOperator _newOperator; ; emit emit changeOperator changeOperator( (_newOperator _newOperator) ); ; } } Sacred Security Assessment
  • 11. SSS-03 | Discussion on Business Model Category Severity Location Status Logical Issue Informational Sacred.sol: 25 Resolved Description What is the Sacred's business model? Is it same as the Bitcoin Fog? Alleviation The team responses that the space Sacred in is very tricky especially from a regulatiory point of view, but the team is mitigating risk by controlling the size of the deposits that are made on Sacred and working on innovative ways in the future so note's can be used to transact privately but do so in a compliant way. Sacred Security Assessment
  • 12. Appendix Finding Categories Centralization / Privilege Centralization / Privilege findings refer to either feature logic or implementation of components that act against the nature of decentralization, such as explicit ownership or specialized access roles in combination with a mechanism to relocate funds. Gas Optimization Gas Optimization findings do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction. Mathematical Operations Mathematical Operation findings relate to mishandling of math formulas, such as overflows, incorrect operations etc. Logical Issue Logical Issue findings detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works. Control Flow Control Flow findings concern the access control imposed on functions, such as owner-only functions being invoke-able by anyone under certain circumstances. Volatile Code Volatile Code findings refer to segments of code that behave unexpectedly on certain edge cases that may result in a vulnerability. Data Flow Data Flow findings describe faults in the way data is handled at rest and in memory, such as the result of a struct assignment operation affecting an in-memory struct rather than an in-storage one. Language Specific Sacred Security Assessment
  • 13. Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of private or delete. Coding Style Coding Style findings usually do not affect the generated byte-code but rather comment on how to make the codebase more legible and, as a result, easily maintainable. Inconsistency Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function. Magic Numbers Magic Number findings refer to numeric literals that are expressed in the codebase in their raw format and should otherwise be specified as constant contract variables aiding in their legibility and maintainability. Compiler Error Compiler Error findings refer to an error in the structure of the code that renders it impossible to compile using the specified version of the project. Checksum Calculation Method The "Checksum" field in the "Audit Scope" section is calculated as the SHA-256 (Secure Hash Algorithm 2 with digest size of 256 bits) digest of the content of each file hosted in the listed source repository under the specified commit. The result is hexadecimal encoded and is the same as the output of the Linux "sha256sum" command against the target file. Sacred Security Assessment
  • 14. Disclaimer This report is subject to the terms and conditions (including without limitation, description of services, confidentiality, disclaimer and limitation of liability) set forth in the Services Agreement, or the scope of services, and terms and conditions provided to the Company in connection with the Agreement. This report provided in connection with the Services set forth in the Agreement shall be used by the Company only to the extent permitted under the terms and conditions set forth in the Agreement. This report may not be transmitted, disclosed, referred to or relied upon by any person for any purposes without CertiK’s prior written consent. This report is not, nor should be considered, an “endorsement” or “disapproval” of any particular project or team. This report is not, nor should be considered, an indication of the economics or value of any “product” or “asset” created by any team or project that contracts CertiK to perform a security assessment. This report does not provide any warranty or guarantee regarding the absolute bug-free nature of the technology analyzed, nor do they provide any indication of the technologies proprietors, business, business model or legal compliance. This report should not be used in any way to make decisions around investment or involvement with any particular project. This report in no way provides investment advice, nor should be leveraged as investment advice of any sort. This report represents an extensive assessing process intending to help our customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology. Blockchain technology and cryptographic assets present a high level of ongoing risk. CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies, and in no way claims any guarantee of security or functionality of the technology we agree to analyze. Sacred Security Assessment
  • 15. About Founded in 2017 by leading academics in the field of Computer Science from both Yale and Columbia University, CertiK is a leading blockchain security company that serves to verify the security and correctness of smart contracts and blockchain-based protocols. Through the utilization of our world-class technical expertise, alongside our proprietary, innovative tech, we’re able to support the success of our clients with best-in-class security, all whilst realizing our overarching vision; provable trust for all throughout all facets of blockchain. Sacred Security Assessment