Introduction
Goal and Objectives of Engagement
Hacken team analyzes the documentation, repository codebase, code and architecture quality, new releases tags functionalities and performs necessary checks against known vulnerabilities.
The assessment's goal is to determine whether the code is vulnerable to known attacks or malicious code and to ensure that there are no issues, build, deployment, or architecture flaws.
Document | |
|---|---|
| Name | Blockchain Protocol Review and Security Analysis Report for Gate.io |
| Audited By | Luciano Ciattaglia |
| Sofiane Akermoun | |
| Nino Lipartiia | |
| Bartosz Barwikowski | |
| Website | https://www.gate.io/→ |
| Changelog | 03/01/2024 - Final Report |
| Tags | PoR Implementation |
| Methodology | https://hackenio.cc/blockchain_methodology→ |
Document
- Name
- Blockchain Protocol Review and Security Analysis Report for Gate.io
- Audited By
- Luciano Ciattaglia
- Sofiane Akermoun
- Nino Lipartiia
- Bartosz Barwikowski
- Website
- https://www.gate.io/→
- Changelog
- 03/01/2024 - Final Report
- Tags
- PoR Implementation
- Methodology
- https://hackenio.cc/blockchain_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/gateio/proof-of-reserves→ |
| Commit | ea647e23bad94e6417df3f05277c6caa8959d0f4 |
Review Scope
- Commit
- ea647e23bad94e6417df3f05277c6caa8959d0f4
Audit Summary
3Total Findings
3Resolved
0Accepted
0Mitigated
The system users should acknowledge all the risks summed up in the risks section of the report
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| I-2023-042 | Vulnerabilities in dependencies | fixed | Observation | |
| I-2023-042 | Vulnerable and Outdated gnark Dependency | fixed | Observation | |
| I-2023-0425 | Merkle Root hash integrity | fixed | Observation |
1-3 of 3 findings
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required. |
High | High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category. |
Medium | Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively. |
Low | Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system. |
Severity
- Critical
Description
- Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.
Severity
- High
Description
- High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.
Severity
- Medium
Description
- Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.
Severity
- Low
Description
- Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.
Appendix 2. Scope
The scope of the project includes the following components from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/gateio/proof-of-reserves→ |
| Commit | ea647e23bad94e6417df3f05277c6caa8959d0f4 |
| Proof of Reserve Upgrade | https://www.gate.io/learn/articles/gate-io-proof-of-reserve-upgrade/855→ |
| Announcement | https://www.gate.io/announcements/article/33123→ |
Scope Details
- Commit
- ea647e23bad94e6417df3f05277c6caa8959d0f4
- Proof of Reserve Upgrade
- https://www.gate.io/learn/articles/gate-io-proof-of-reserve-upgrade/855→
- Announcement
- https://www.gate.io/announcements/article/33123→