- Hacken
- Audits
- hello-labs
- [SCA] Hello Labs | Bridge Rust | May2024
Introduction
We express our gratitude to the HELLO Labs team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Hello Bridge is a Solana - EVM Bridge for the HELLO Token.
| title | content |
|---|---|
| Platform | Solana |
| Language | Rust |
| Tags | Bridge |
| Timeline | 06/05/2024 - 09/05/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/sevenlabs-hq/hellolabs-token-bridge-program→ |
| Commit | 2d7ba697864f8770e8ea431312883d1c9d7cf200 |
Review Scope
- Commit
- 2d7ba697864f8770e8ea431312883d1c9d7cf200
Audit Summary
7/10
N/A
6/10
7/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for HELLO Labs |
| Audited By | Lukasz Mikula |
| Approved By | Ataberk Yavuzer, Przemyslaw Swiatowiec |
| Website | TBC |
| Changelog | 10/05/2024 - Preliminary Report |
| 14/05/2024 - Final Report |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for HELLO Labs
- Audited By
- Lukasz Mikula
- Approved By
- Ataberk Yavuzer, Przemyslaw Swiatowiec
- Website
- TBC
- Changelog
- 10/05/2024 - Preliminary Report
- 14/05/2024 - Final Report
System Overview
Hello Bridge is a Solana - EVM Bridge with the following utilities:
pausing the bridge
changing the authority / signers
deposit by users
withdraw by users
adding/removing supported EVM chains
Privileged roles
Bridge authority is the most privileged role that can change bridge authority,
Signers can confirm withdrawal transactions via an off-chain logic.
Executive Summary
Documentation quality
The total Documentation quality score is 7 out of 10.
The documentation is missing
Technical description is not provided.
Code quality
The total Code quality score is 4 out of 10.
The code does not utilize best practices in common patterns for example related to secure ownership transfers or decentralization
The code is missing threshold safety checks to avoid human errors - for example, edge or incorrect values of key parameters are not checked and the program relies on the protocol administrator to set proper parameter values
The code lacks proper event emissions which increases transparency and trackability of the protocol events
Error messages are missing on unchecked arithmetic
Finally, potential unbounded loops exist in the code that may lead to DoS issues
Test coverage
Code coverage of the project is N/A.
Some unit tests were provided
It was required to amend the tests in order to get them working due to a hardcoded, nonexistent private key
The Score is N/A since there is no reliable tool to calculate Solana test coverage
Security score
Upon auditing, the code was found to contain 1 critical, 0 high, 0 medium, and 3 low severity issues, leading to a security score of 7 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
Scope Definition and Security Guarantees: The audit does not cover all code in the repository. Contracts outside the audit scope may introduce vulnerabilities, potentially impacting the overall security due to the interconnected nature of smart contracts. A significant part of the protocol relies on backend logic which processes the bridge operations. Any risk related to that part of the protocol is unknown since backend was not subject to the audit.
Fixed Total Supply Post-Deployment: The token’s total supply is determined at deployment and cannot be verified later, potentially limiting the project’s adaptability and economic model flexibility.
Dynamic Array Iteration Gas Limit Risks: The project iterates over vectors but they seem to be limited to several items related to number of supported EVM chain, which as long as there are only few ones is safe, but otherwise leads to excessive gas costs, risking denial of service due to out-of-gas errors, directly impacting contract usability and reliability.
Absence of Time-lock Mechanisms for Critical Operations: Without time-locks on critical operations, there is no buffer to review or revert potentially harmful actions, increasing the risk of rapid exploitation and irreversible changes.
Insufficient Multi-signature Controls for Critical Functions: The lack of multi-signature requirements for key operations centralizes decision-making power, increasing vulnerability to single points of failure or malicious insider actions, potentially leading to unauthorized transactions or configuration changes.
Single Points of Failure and Control: The project is partially centralized, introducing single points of failure and control, when it comes to the bridge authority able to pause the contract or disable/enable EVM chains. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.
Administrative Key Control Risks: The digital contract architecture relies on administrative keys for critical operations. Centralized control over these keys presents a significant security risk, as compromise or misuse can lead to unauthorized actions or loss of funds.
Single Entity Upgrade Authority: The token ecosystem grants a single entity the authority to implement upgrades or changes. This centralization of power risks unilateral decisions that may not align with the community or stakeholders' interests, undermining trust and security.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-2404 | Insufficient validation allows anyone to perform fake deposits | mitigated | Critical | |
| F-2024-2403 | The chain list might contain duplicates, which might break the protocol logic | fixed | Low | |
| F-2024-2402 | Missing two-step ownership transfer | mitigated | Low | |
| F-2024-2400 | Centralization concerns | accepted | Low | |
| F-2024-2464 | Unbounded loops may lead to denial of service | accepted | Observation | |
| F-2024-2463 | Insufficient validation of mint account during initialization | accepted | Observation | |
| F-2024-2461 | Arithmetic operations may panic on overflow | accepted | Observation | |
| F-2024-2401 | Missing events emission | accepted | Observation | |
| F-2024-2399 | Vulnerable dependencies in use | accepted | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/sevenlabs-hq/hellolabs-token-bridge-program→ |
| Commit | 2d7ba697864f8770e8ea431312883d1c9d7cf200 |
| Whitepaper | N/A |
| Requirements | N/A |
| Technical Requirements | N/A |
Scope Details
- Commit
- 2d7ba697864f8770e8ea431312883d1c9d7cf200
- Whitepaper
- N/A
- Requirements
- N/A
- Technical Requirements
- N/A