Audit name:
[L1] CratD2C | CratD2Cchain | Oct2024
Date:
Dec 23, 2024
Table of Content
Introduction
We express our gratitude to the CratD2C team for the collaborative engagement that enabled the execution of this Blockchain Protocol Security Assessment.
CratD2C SmartChain is a Layer 1 blockchain designed to deliver high scalability, rapid transaction finality, and robust security. It leverages Delegated Proof of Stake (DPoS) consensus to support seamless decentralized applications across industries like e-commerce, real estate, and luxury services.
Document | |
|---|---|
| Name | Blockchain Protocol Review and Security Analysis Report for CratD2C |
| Audited By | Nino Lipartiia, Hamza Sajid |
| Approved By | Nino Lipartiia |
| Website | https://cratd2csmartchain.io/→ |
| Changelog | 29/11/2024 - First Preliminary Report |
| Changelog | 11/12/2024 - Second Preliminary Report |
| Changelog | 23/12/2024 - Final Report |
| Platform | CratD2C |
| Language | Golang |
| Tags | DPoS |
| Methodology | https://hackenio.cc/blockchain_methodology→ |
Document
- Name
- Blockchain Protocol Review and Security Analysis Report for CratD2C
- Audited By
- Nino Lipartiia, Hamza Sajid
- Approved By
- Nino Lipartiia
- Changelog
- 29/11/2024 - First Preliminary Report
- Changelog
- 11/12/2024 - Second Preliminary Report
- Changelog
- 23/12/2024 - Final Report
- Platform
- CratD2C
- Language
- Golang
- Tags
- DPoS
- Methodology
- https://hackenio.cc/blockchain_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/CratD2C-SmartChain/cratd2cchain→ |
| Commit | ba7e0061861e2ee88be799c2c78314ed1486a789 |
Review Scope
- Commit
- ba7e0061861e2ee88be799c2c78314ed1486a789
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
The official documentation is available on the CratD2C website, offering comprehensive insights into the platform.
The README file has been refined during the audit and now provides enhanced details on build and testing processes.
Inline documentation in the codebase is well-structured, ensuring clarity on the implemented functionalities.
Code quality
The codebase reflects a high standard of quality in Go programming, showcasing modular, extensible, and domain-driven patterns.
Static code analysis has flagged a few warnings, presenting opportunities for refinement to further enhance code robustness.
Test coverage is an area that could benefit from improvement, as this is a fork of XDC and may require changes to align with directory renaming.
The presence of unresolved TODO comments highlights areas for further attention, many inherited from the original XDC implementation
Architecture quality
The architecture is based on the XDC Network, providing a robust and scalable foundation for decentralized applications (dApps) and financial ecosystems.
The system leverages the XDC subnet framework, adapting it to suit the project's specific needs for enhanced performance and scalability.
A Delegated Proof of Stake (DPoS) consensus mechanism ensures efficient transaction validation and network security with minimal energy consumption.
System Overview
CratD2C is a blockchain platform meticulously designed to support decentralized applications (dApps) and financial ecosystems. It emphasizes efficiency and scalability and provides a solid, reliable foundation for decentralized solutions. By utilizing the XDC subnet effectively, CratD2C adapts the technology to meet its unique requirements, ensuring optimized performance and flexibility.
Leveraging a Delegated Proof of Stake (DPoS) consensus mechanism, CratD2C enables stakeholders to elect Validators responsible for transaction validation and network security. This model fosters decentralization while maintaining energy efficiency, offering a more resource-conserving alternative to traditional consensus protocols.
Risks
The project is primarily a fork of XDC-Subnet →, with most modifications focused on rebranding and offering limited technical differentiation.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-7407 | Exposed Security Gaps from Outdated Codebase | fixed | High | |
| F-2024-7238 | Vulnerabilities in Go Standard Library | fixed | High | |
| F-2024-7386 | Missing Validation for ExtraData Length in Lending Transactions | fixed | Medium | |
| F-2024-7239 | Vulnerabilities in Docker Dependency | fixed | Medium | |
| F-2024-7423 | Lack of Support for Recent EVM Opcodes | fixed | Observation | |
| F-2024-7410 | Test Suite Failures | accepted | Observation | |
| F-2024-7401 | Misleading Chain Denomination | accepted | Observation | |
| F-2024-7385 | Discrepancies from Legacy API Integration | accepted | Observation | |
| F-2024-7323 | Advised Security Enhancements Based on Static Analysis | accepted | Observation | |
| F-2024-7202 | Residual Zone.Identifier Files | fixed | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required. |
High | High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category. |
Medium | Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively. |
Low | Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system. |
Severity
- Critical
Description
- Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.
Severity
- High
Description
- High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.
Severity
- Medium
Description
- Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.
Severity
- Low
Description
- Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.
Appendix 2. Scope
The scope of the project includes the following components from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/CratD2C-SmartChain/cratd2cchain→ |
| Commit | ba7e0061861e2ee88be799c2c78314ed1486a789 |
| Whitepaper | https://cratd2csmartchain.io/pdf/whitepaper.pdf→ |
Scope Details
- Commit
- ba7e0061861e2ee88be799c2c78314ed1486a789
Components in Scope
Review of all changes in sources since fork from XinFin 0.2.2
Review of all security-related issues reported in XinFin reported since version 0.2.2
DCx
DCxDAO
DCxlending
accounts
bmt
build
cmd
common
compression/rle
contracts (Golang files)
consensus
console
containers/docker
core
crypto
docker
docs
eth
ethclient
ethdb
ethstats
event
genesis
internal
les
light
log
metrics
miner
mobile
node
p2p
params
rlp
rpc
swarm
tests
trie
whisper