Introduction
We express our gratitude to the Areon team for the collaborative engagement that enabled the execution of this Security Assessment.
Areon is a decentralized layer 1 blockchain meant for daily usage with low fees and high transaction throughput. It also allows anyone to build dApps on top of its architecture.
| title | content |
|---|---|
| Platform | AreonChain |
| Language | Go |
| Timeline | 29/11/2023 - 19/01/2024 |
| Methodology | Blockchain Protocol and Security Analysis Methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/Areon-Network/AreonChain→ |
| Commit | acf467a |
Review Scope
- Commit
- acf467a
Audit Summary
10/10
10/10
8/10
9/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Blockchain Protocol Code Review and Security Analysis Report for Areon |
| Audited By | Michal Bajor |
| Approved By | |
| Website | https://areon.network/→ |
| Changelog | 29/12/2023 - Work-in-Progress Draft report |
| Changelog | 19/01/2024 - Preliminary Report |
Document
- Name
- Blockchain Protocol Code Review and Security Analysis Report for Areon
- Audited By
- Michal Bajor
- Approved By
- Website
- https://areon.network/→
- Changelog
- 29/12/2023 - Work-in-Progress Draft report
- Changelog
- 19/01/2024 - Preliminary Report
System Overview
AreonChain is an advanced Layer 1 blockchain protocol, meticulously developed to operate as an independent, EVM (Ethereum Virtual Machine)-compatible solution. At its core, the AreonChain architecture comprises a comprehensive codebase, which encompasses the intricate logic governing the node's functions, its Remote Procedure Call (RPC) API, and an array of related modules. Additionally, it incorporates a suite of essential dependencies, prominently featuring the Cosmos SDK and various other libraries aligned with the Cosmos ecosystem. These dependencies are thoughtfully integrated into the platform as vendored local packages, ensuring a cohesive and stable framework for the AreonChain operations.
The operational excellence of AreonChain is further bolstered by two custom-developed modules, each serving a distinct and critical function within the Areon node:
EVM Module: This innovative module is expressly designed to support the deployment and interactive engagement with smart contracts tailored for the Ethereum Virtual Machine. By providing a highly compatible and efficient environment, this module enables the flawless execution of Ethereum-derived smart contracts. This compatibility is of paramount importance, especially for developers and users accustomed to the Ethereum platform, as it ensures a smooth transition and operational consistency within the AreonChain ecosystem. The EVM Module is a testament to AreonChain's commitment to interoperability and ease of use, fostering an inclusive and versatile blockchain environment.
FeeMarket Module: Specializing in the strategic management of transaction fees, this module incorporates the dynamic fee structure outlined in Ethereum Improvement Proposal 1559 (EIP-1559). Its primary function is to adaptively regulate fees, thereby streamlining the transaction process and elevating the network's operational efficiency. By implementing this innovative fee model, AreonChain not only simplifies transaction cost calculations but also ensures a more predictable and equitable fee structure. This approach significantly enhances the user experience, reducing the unpredictability often associated with transaction costs. Moreover, the FeeMarket Module plays a crucial role in maintaining network stability and efficiency, reflecting AreonChain's dedication to providing a user-centric, reliable blockchain infrastructure.
Together, these modules represent the technical prowess and forward-thinking approach of AreonChain. By fusing the familiar benefits of the EVM with the innovative fee management of EIP-1559, AreonChain stands out as a robust, user-friendly blockchain platform. It is an embodiment of the next generation of blockchain technology, designed to meet the evolving needs of users and developers in the ever-expanding blockchain landscape.
Executive Summary
Documentation quality
The total Documentation Quality score is 9 out of 10.
The code contains comments and docstrings which document the implementation, however, high-level documentation was missing. It is important to note that a high-level documentation on the architecture itself is present. Given that the AreonChain utilizes a forked blockchain framework, it would be beneficial to have documentation on this, especially highlighting any deviations from the original framework. Additionally, there are no instructions on how to run the node in the README file or where to find this information. During the audit, more detailed technical documentation was provided.
Code quality
The total Code Quality score is 8 out of 10.
AreonChain effectively utilizes the Go programming language and adheres to its patterns. Furthermore, it follows the coding patterns associated with its underlying blockchain framework, enhancing the readability of the entire codebase. The code contains clear and descriptive comments. However, it is noted that the codebase contains some files (primarily integration tests) that do not compile due to missing dependencies. The code quality score was reduced, as a production-ready software should not contain any code that is not used or doesn't compile.
Architecture quality
The total Architecture Quality score is 10 out of 10.
The AreonChain architecture is constructed using the Cosmos SDK framework, thereby inheriting its advantageous features. This foundation endows AreonChain with scalability and robust resilience. A key aspect of its design is the integration of the widely recognized and rigorously tested Tendermint consensus protocol, a decision that notably enhances the network's decentralization capabilities. While acknowledging that no system is entirely without vulnerabilities, our comprehensive analysis did not reveal any significant architectural shortcomings in the AreonChain's design.
Security score
Upon auditing, the code was found to contain 0 critical, 0 high, 1 medium, and 3 low severity issues, leading to a security score of 10 out of 10 as all identified issues were correctly fixed.
All identified issues are detailed in the “Findings” section of this report.
General Score
The comprehensive audit of the customer's blockchain protocol yields an overall score of 9.5. This score reflects the combined evaluation of documentation, code quality, architecture quality, and security aspects of the project.
Risks
Iterating over a dynamic array populated with custom tokenId can lead to gas limit denial of service if the number of tokenId goes out of control.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2023-0259 | Malicious Vesting Periods | fixed | Medium | |
| F-2023-0306 | Data race and potential deadlock in PeerState serialization | fixed | Low | |
| F-2023-0297 | Possibility of duplicate transactions in mempool structure | fixed | Low | |
| F-2023-0256 | Invalid IBC events handling | fixed | Low | |
| F-2024-0444 | Simulation tests do not use address prefix indented for the chain | fixed | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required. |
High | High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category. |
Medium | Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively. |
Low | Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system. |
Severity
- Critical
Description
- Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.
Severity
- High
Description
- High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.
Severity
- Medium
Description
- Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.
Severity
- Low
Description
- Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.
Appendix 2. Scope
The scope of the project includes the following components from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/Areon-Network/AreonChain→ |
| Commit | acf467ae19bcc740a9a28b51795e |
| Whitepaper | https://areon.network/docs/areon-whitepaper.pdf→ |
| Requirements | |
| Technical Requirements |
Scope Details
- Commit
- acf467ae19bcc740a9a28b51795e
- Requirements
- Technical Requirements
Components in Scope
SDK and cryptography
Analysis of changes introduced since SDK fork
Analysis of security fixes in the later versions of Cosmos SDK
Libraries
Analysis of copied libraries and changes introduced since fork
Analysis of security fixes in the later versions of copied libraries
Custom modules
Review of evm and feemarket modules
Review of app initialisation and configuration
RPC
Review of RPC API