Introduction
We express our gratitude to the HAPI team for the collaborative engagement that enabled the execution of this Security Assessment.
Hapi Labs is a cutting-edge cybersecurity firm specializing in real-time investigations and rapid response to emerging cyber threats. At the forefront of combating hacks and exploits, they employ advanced techniques and tools to monitor, detect, and counteract cyber incidents as they unfold. This proactive approach is crucial in today's digital landscape, where the speed and complexity of cyber attacks are constantly evolving. Hapi Labs' dedication to immediate and effective response not only mitigates potential damage but also provides invaluable insights into the nature of modern cyber threats. Their expertise plays a vital role in enhancing the digital security posture of their clients, ensuring resilience and adaptability in the face of ever-changing cyber challenges.
| title | content |
|---|---|
| Platform | Metamask Snap |
| Language | Typescript |
| Tags | Whitebox |
| Timeline | 03/01/2024 - 10/01/2024 |
| Methodology | Dapp Audit Methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/HAPIprotocol/hapilabs-snap/→ |
| Commit | [] |
Review Scope
- Commit
- []
Audit Summary
0/10
0%
3/10
0/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Decentralized Application (dApp) Code Review and Security Analysis Report for HAPI |
| Audited By | Stephen Ajayi |
| Approved By | Stephen Ajayi |
| Website | https://hapilabs.one→ |
| Changelog | 10/01/2024 - Preliminary Report |
Document
- Name
- Decentralized Application (dApp) Code Review and Security Analysis Report for HAPI
- Audited By
- Stephen Ajayi
- Approved By
- Stephen Ajayi
- Website
- https://hapilabs.one→
- Changelog
- 10/01/2024 - Preliminary Report
System Overview
Hapi Labs' Metamask Snap Project focuses on developing a lightweight, efficient plugin for the Metamask cryptocurrency wallet. This project aims to enhance user experience and provide additional functionalities within the Metamask ecosystem through a simple yet powerful snap (plugin).
Main Components of the System
The snap comprised of two components:
npm packages that can be installed with [npm install hapilabs-snap]
Github codebase ( https://github.com/HAPIprotocol/hapilabs-snap/tree/main)
Codebase Files
Index.ts (TypeScript File):
Serves as the core script of the snap, containing the primary logic and functions.
Written in TypeScript, it ensures robust typing and enhances code maintainability and scalability.
Snap.manifest.json:
This file defines the snap's metadata, permissions, and other essential information required by Metamask to integrate and run the snap seamlessly.
Specifies the APIs and resources the snap can access.
Package.json:
Contains metadata relevant to the project, including the snap's name, version, dependencies, and scripts.
Defines the build and deployment process, making the snap management efficient and consistent.
Package-lock.json:
Automatically generated file ensuring consistent installations of node modules.
It keeps track of the exact version of every package that is installed to ensure a consistent environment.
Executive Summary
Documentation quality
The total Documentation Quality score is 0 out of 10.
Functional requirements were not provided.
Technical description is not provided.
Code quality
The total Code Quality score is 3 out of 10.
Well-Organized Code: The code is structured in a clear and coherent manner.
Consistent Coding Style: A uniform coding style is followed, enhancing readability.
Lack of Tests: No tests are included with the code, which are essential for verifying reliability and aiding in maintenance.
Test coverage
There was no test coverage in the code base
Security score
Upon auditing, the code was found to contain 1 critical, 2 high, 4 medium, and 4 low severity issues, leading to a security score of 0 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's dapp yields an overall score of 0.3. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| snaptest.ha | Stored Cross-Site Scripting (XSS) in Hapilabs Snap Test Host | fixed | Critical | |
| Locally ins | Insecure API Key Storage and Management | accepted | High | |
| hapilab-sna | Insecure Input Handling and Implicit Trust in External Data | fixed | High | |
| snaptest.ha | Insecure Transmission and Exposure of API Key | fixed | Medium | |
| hapilabs-sn | Lack of Rate Limiting and Abuse Prevention | fixed | Medium | |
| Hapilabs-sn | Insecure External Service Communication | fixed | Medium | |
| Hapilab-sna | Insecure Response Data Handling | fixed | Medium | |
| Locally ins | Insufficient Error Handling and User Feedback | unfixed | Low | |
| Hapilab-sna | Loose Equality Comparison | unfixed | Low | |
| package.loc | Composite Dependency Vulnerabilities in npm Packages | unfixed | Low |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following Lines of Code from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/HAPIprotocol/hapilabs-snap/tree/main→ |
| Commit | [ ] |
| Whitepaper | [ ] |
| Requirements | Non Provided |
| Technical Requirements | Non Provided |
Scope Details
- Commit
- [ ]
- Whitepaper
- [ ]
- Requirements
- Non Provided
- Technical Requirements
- Non Provided