This security assessment report summarizes the audit of the Sacred smart contracts. The audit found 6 issues, all informational, including missing checks for zero addresses, unused functions declared as public instead of external, and lack of comments. The report recommends adding checks for zero addresses, using external instead of public, adding more comments, and discussing the business model.
Sacred CertiK security assessment for Sacred31bridgeport
Sacred has developed an interoperable, non-custodial privacy DApp that transfers assets anonymously. By enabling users to send private transactions and breaking the on-chain link between the depositor's address and the withdrawer's address, Sacred leverages ZK-SNARK proofs to secure the transaction's privacy.
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation - requiring buildable code. The reliance on compilation has major and negative implications for all stake holders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC). Historically, static code analysis required a complete and buildable project to run against, which made the logical place to do the analysis at the build server and in-line with the entire build process. The “buildable” requirement also forced the execution of the scan nearer the end of the development process, making security repairs to code more expensive and greatly reducing any benefits.
Sacred CertiK security assessment for Sacred31bridgeport
Sacred has developed an interoperable, non-custodial privacy DApp that transfers assets anonymously. By enabling users to send private transactions and breaking the on-chain link between the depositor's address and the withdrawer's address, Sacred leverages ZK-SNARK proofs to secure the transaction's privacy.
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation - requiring buildable code. The reliance on compilation has major and negative implications for all stake holders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC). Historically, static code analysis required a complete and buildable project to run against, which made the logical place to do the analysis at the build server and in-line with the entire build process. The “buildable” requirement also forced the execution of the scan nearer the end of the development process, making security repairs to code more expensive and greatly reducing any benefits.
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
Delivering Quality Software with Continuous IntegrationAspire Systems
Learn about:
1> Best Practices In Distributed Environment
2> Potential Challenges Of Not Following CI
3> Tools & Frameworks That Help You Implement CI Better
Presentation from Cloud Expo Asia Hong Kong covering the rationale for "Compliance as Code" and how InSpec may be applied to servers, cloud platforms, and much more to keep track of your compliance everywhere.
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
The use of SystemC/C++ system models significantly increases the productivity of hardware design flows. SystemC/C++ source code is more compact than RTL, simulates faster, and can target a wide range of microarchitectures, depending on performance, area and timing requirements. On the functional verification front, due to a lack of tools and methodologies benefits are less evident. Top-level test vectors used to validate behavioral model provide limited coverage. Failures are hard to debug. Verification of the generated RTL code comes late in the development process and is not efficient. This paper shows how automated formal verification solutions well established in RTL development, once adapted and extended to analyze and verify SystemC/C++ code prior to high-level synthesis, provide a much needed boost to verification quality and productivity. Experiences in industrial applications are reported.
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainZeeve
Our series on Enterprise Blockchain Adoption is an attempt to lay the groundwork for answering some of the common questions about cost implications. Our speaker will address the concerns that arise at the institutional level when deciding on blockchain adoption challenges. Often misguided information about blockchain adoption costs becomes a reason for driving resistance among business leaders to embrace blockchain technology with open arms. Hence, our speaker will try to put a detailed analysis of the factors that impact the blockchain deployment costs for enterprises.
Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk.
Given the wide range of Source Code Analysis Tools, security professionals, auditors and developers alike are faced with the same developers alike are faced with the question: What is the best way to assess a Static Application Security Testing (SAST) tool for deployment?
Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.
fundamentals of software engineering.this unit covers all the aspects of software engineering coding standards and naming them and code inspectionna an d various testing methods and
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
Delivering Quality Software with Continuous IntegrationAspire Systems
Learn about:
1> Best Practices In Distributed Environment
2> Potential Challenges Of Not Following CI
3> Tools & Frameworks That Help You Implement CI Better
Presentation from Cloud Expo Asia Hong Kong covering the rationale for "Compliance as Code" and how InSpec may be applied to servers, cloud platforms, and much more to keep track of your compliance everywhere.
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
The use of SystemC/C++ system models significantly increases the productivity of hardware design flows. SystemC/C++ source code is more compact than RTL, simulates faster, and can target a wide range of microarchitectures, depending on performance, area and timing requirements. On the functional verification front, due to a lack of tools and methodologies benefits are less evident. Top-level test vectors used to validate behavioral model provide limited coverage. Failures are hard to debug. Verification of the generated RTL code comes late in the development process and is not efficient. This paper shows how automated formal verification solutions well established in RTL development, once adapted and extended to analyze and verify SystemC/C++ code prior to high-level synthesis, provide a much needed boost to verification quality and productivity. Experiences in industrial applications are reported.
GBA – Episode 1 “Enterprise Blockchain Adoption” – Cost of doing blockchainZeeve
Our series on Enterprise Blockchain Adoption is an attempt to lay the groundwork for answering some of the common questions about cost implications. Our speaker will address the concerns that arise at the institutional level when deciding on blockchain adoption challenges. Often misguided information about blockchain adoption costs becomes a reason for driving resistance among business leaders to embrace blockchain technology with open arms. Hence, our speaker will try to put a detailed analysis of the factors that impact the blockchain deployment costs for enterprises.
Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk.
Given the wide range of Source Code Analysis Tools, security professionals, auditors and developers alike are faced with the same developers alike are faced with the question: What is the best way to assess a Static Application Security Testing (SAST) tool for deployment?
Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.
fundamentals of software engineering.this unit covers all the aspects of software engineering coding standards and naming them and code inspectionna an d various testing methods and
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
2. Summary
This report has been prepared for Sacred smart contracts, to discover issues and vulnerabilities in the
source code of their Smart Contract as well as any contract dependencies that were not part of an officially
recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual
Review techniques.
The auditing process pays special attention to the following considerations:
Testing the smart contracts against both common and uncommon attack vectors.
Assessing the codebase to ensure compliance with current best practices and industry standards.
Ensuring contract logic meets the specifications and intentions of the client.
Cross referencing contract structure and implementation against similar smart contracts produced
by industry leaders.
Thorough line-by-line manual review of the entire codebase by industry experts.
The security assessment resulted in findings that ranged from critical to informational. We recommend
addressing these findings to ensure a high level of security standards and industry practices. We suggest
recommendations that could better serve the project from the security perspective:
Enhance general coding practices for better structures of source codes;
Add enough unit tests to cover the possible use cases given they are currently missing in the
repository;
Provide more comments per each function for readability, especially contracts are verified in public;
Provide more transparency on privileged activities once the protocol is live.
Sacred Security Assessment
3. Overview
Project Summary
Project Name Sacred
Description This is a variant of Tornado cash compatible with the Conflux network.
Platform Conflux
Language Solidity
Codebase https://github.com/Sacred-Finance/sacred-contracts/tree/main/contracts
Commits 6eaac300f6b37f607b903bd1e9d49e0528710f7e
Audit Summary
Delivery Date May 06, 2021
Audit Methodology Static Analysis, Manual Review
Key Components
Vulnerability Summary
Total Issues 6
Critical 0
Major 0
Medium 0
Minor 0
Informational 6
Discussion 0
Sacred Security Assessment
5. Findings
ID Title Category Severity Status
ERC-01 Missing Some Important Checks Logical Issue Informational Acknowledged
MTW-01 Proper Usage of public and external Type Optimization Informational Acknowledged
SSC-01 Pragma Version Not locked Implementation Informational Acknowledged
SSS-01 Missing Some Important Checks Logical Issue Informational Acknowledged
SSS-02 Missing Emit Events Optimization Informational Acknowledged
SSS-03 Discussion on Business Model Logical Issue Informational Resolved
Sacred Security Assessment
6
Total Issues
Critical 0 (0.00%)
Major 0 (0.00%)
Medium 0 (0.00%)
Minor 0 (0.00%)
Informational 6 (100.00%)
Discussion 0 (0.00%)
6. ERC-01 | Missing Some Important Checks
Category Severity Location Status
Logical Issue Informational ERC20Sacred.sol: 20 Acknowledged
Description
Some functions are missing address zero checks.
Recommendation
We advise that add a zero address check, for example:
function
function changeOperator
changeOperator(
(address
address _newOperator
_newOperator)
) external
external onlyOperator
onlyOperator {
{
require
require(
(_newOperator
_newOperator !=
!= address
address(
(0
0)
),
, "ERR_ZERO_ADDRESS"
"ERR_ZERO_ADDRESS")
);
;
operator
operator =
= _newOperator
_newOperator;
;
}
}
Sacred Security Assessment
7. MTW-01 | Proper Usage of public and external Type
Category Severity Location Status
Optimization Informational utils/MerkleTreeWithHistory.sol: 133~135 Acknowledged
Description
The public functions that are never called by the contract should be declared external . When the inputs
are arrays the external functions are more efficient than public functions.
Recommendation
We advise that use the external attribute for functions never called from the contract.
Sacred Security Assessment
8. SSC-01 | Pragma Version Not locked
Category Severity Location Status
Implementation Informational Acknowledged
Description
Contract uses pragma solidity ^0.60; which is not recommend.Pragma should be locked to specific
compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that
contracts do not accidentally get deployed using, for example, the latest compiler, which may have higher
risks of undiscovered bugs.
Recommendation
Deploy with any of the following Solidity versions:
·
· 0.5
0.5.16
.16 -
- 0.5
0.5.17
.17
·
· 0.6
0.6.11
.11 -
- 0.6
0.6.12
.12
·
· 0.7
0.7.5
.5 -
- 0.7
0.7.6
.6
Consider using a specific compiler version above.
Sacred Security Assessment
9. SSS-01 | Missing Some Important Checks
Category Severity Location Status
Logical Issue Informational Sacred.sol: 203~205, 71 Acknowledged
Description
Some functions are missing address zero checks.
Recommendation
We advise that add a zero address check, for example:
function
function changeOperator
changeOperator(
(address
address _newOperator
_newOperator)
) external
external onlyOperator
onlyOperator {
{
require
require(
(_newOperator
_newOperator !=
!= address
address(
(0
0)
),
, "ERR_ZERO_ADDRESS"
"ERR_ZERO_ADDRESS")
);
;
operator
operator =
= _newOperator
_newOperator;
;
}
}
Sacred Security Assessment
10. SSS-02 | Missing Emit Events
Category Severity Location Status
Optimization Informational Sacred.sol: 203~206 Acknowledged
Description
Several sensitive actions are defined without event declarations. Such as function changeOperator in
Sacred.sol .
Recommendation
We advise that add events for sensitive action and emit it in the functions like below.
function
function changeOperator
changeOperator(
(address
address _newOperator
_newOperator)
) external
external onlyOperator
onlyOperator {
{
require
require(
(_newOperator
_newOperator !=
!= address
address(
(0
0)
),
, "ERR_ZERO_ADDRESS"
"ERR_ZERO_ADDRESS")
);
;
operator
operator =
= _newOperator
_newOperator;
;
emit
emit changeOperator
changeOperator(
(_newOperator
_newOperator)
);
;
}
}
Sacred Security Assessment
11. SSS-03 | Discussion on Business Model
Category Severity Location Status
Logical Issue Informational Sacred.sol: 25 Resolved
Description
What is the Sacred's business model? Is it same as the Bitcoin Fog?
Alleviation
The team responses that the space Sacred in is very tricky especially from a regulatiory point of view, but
the team is mitigating risk by controlling the size of the deposits that are made on Sacred and working on
innovative ways in the future so note's can be used to transact privately but do so in a compliant way.
Sacred Security Assessment
12. Appendix
Finding Categories
Centralization / Privilege
Centralization / Privilege findings refer to either feature logic or implementation of components that act
against the nature of decentralization, such as explicit ownership or specialized access roles in
combination with a mechanism to relocate funds.
Gas Optimization
Gas Optimization findings do not affect the functionality of the code but generate different, more optimal
EVM opcodes resulting in a reduction on the total gas cost of a transaction.
Mathematical Operations
Mathematical Operation findings relate to mishandling of math formulas, such as overflows, incorrect
operations etc.
Logical Issue
Logical Issue findings detail a fault in the logic of the linked code, such as an incorrect notion on how
block.timestamp works.
Control Flow
Control Flow findings concern the access control imposed on functions, such as owner-only functions
being invoke-able by anyone under certain circumstances.
Volatile Code
Volatile Code findings refer to segments of code that behave unexpectedly on certain edge cases that may
result in a vulnerability.
Data Flow
Data Flow findings describe faults in the way data is handled at rest and in memory, such as the result of a
struct assignment operation affecting an in-memory struct rather than an in-storage one.
Language Specific
Sacred Security Assessment
13. Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of private or
delete.
Coding Style
Coding Style findings usually do not affect the generated byte-code but rather comment on how to make
the codebase more legible and, as a result, easily maintainable.
Inconsistency
Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code,
such as a constructor assignment imposing different require statements on the input variables than a setter
function.
Magic Numbers
Magic Number findings refer to numeric literals that are expressed in the codebase in their raw format and
should otherwise be specified as constant contract variables aiding in their legibility and maintainability.
Compiler Error
Compiler Error findings refer to an error in the structure of the code that renders it impossible to compile
using the specified version of the project.
Checksum Calculation Method
The "Checksum" field in the "Audit Scope" section is calculated as the SHA-256 (Secure Hash Algorithm 2
with digest size of 256 bits) digest of the content of each file hosted in the listed source repository under
the specified commit.
The result is hexadecimal encoded and is the same as the output of the Linux "sha256sum" command
against the target file.
Sacred Security Assessment
14. Disclaimer
This report is subject to the terms and conditions (including without limitation, description of services,
confidentiality, disclaimer and limitation of liability) set forth in the Services Agreement, or the scope of
services, and terms and conditions provided to the Company in connection with the Agreement. This
report provided in connection with the Services set forth in the Agreement shall be used by the Company
only to the extent permitted under the terms and conditions set forth in the Agreement. This report may not
be transmitted, disclosed, referred to or relied upon by any person for any purposes without CertiK’s prior
written consent.
This report is not, nor should be considered, an “endorsement” or “disapproval” of any particular project or
team. This report is not, nor should be considered, an indication of the economics or value of any
“product” or “asset” created by any team or project that contracts CertiK to perform a security
assessment. This report does not provide any warranty or guarantee regarding the absolute bug-free
nature of the technology analyzed, nor do they provide any indication of the technologies proprietors,
business, business model or legal compliance.
This report should not be used in any way to make decisions around investment or involvement with any
particular project. This report in no way provides investment advice, nor should be leveraged as investment
advice of any sort. This report represents an extensive assessing process intending to help our customers
increase the quality of their code while reducing the high level of risk presented by cryptographic tokens
and blockchain technology.
Blockchain technology and cryptographic assets present a high level of ongoing risk. CertiK’s position is
that each company and individual are responsible for their own due diligence and continuous security.
CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing
new and consistently changing technologies, and in no way claims any guarantee of security or
functionality of the technology we agree to analyze.
Sacred Security Assessment
15. About
Founded in 2017 by leading academics in the field of Computer Science from both Yale and Columbia
University, CertiK is a leading blockchain security company that serves to verify the security and
correctness of smart contracts and blockchain-based protocols. Through the utilization of our world-class
technical expertise, alongside our proprietary, innovative tech, we’re able to support the success of our
clients with best-in-class security, all whilst realizing our overarching vision; provable trust for all
throughout all facets of blockchain.
Sacred Security Assessment