[dApp] Hive | Metamask Snap Audit | May2025

Hive

Audit name:

[dApp] Hive | Metamask Snap Audit | May2025

Date:

May 23, 2025

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Hive team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

Hive's Snap is MetaMask Snap that enables Hive blockchain interactions by allowing users to sign transactions, encrypt/decrypt buffer messages.

Document
Name	MetaMask Snap Code Review And Security Analysis Report for Hive
Audited By	Abdelfattah Ibrahim
Approved By	Stephen Ajayi
Website	https://hive.io→
Changelog	20/05/2025 - Preliminary Report
Changelog	23/05/2025 - Final Report
Platform	MetaMask Snap
Language	TypeScript, JavaScript
Tags	MetaMask Snap, dApp
Methodology	https://hackenio.cc/dApp_methodology→

Document
Name
MetaMask Snap Code Review And Security Analysis Report for Hive
Audited By
Abdelfattah Ibrahim
Approved By
Stephen Ajayi
Website
https://hive.io→
Changelog
20/05/2025 - Preliminary Report
Changelog
23/05/2025 - Final Report
Platform
MetaMask Snap
Language
TypeScript, JavaScript
Tags
MetaMask Snap, dApp
Methodology
https://hackenio.cc/dApp_methodology→

Review Scope
Repository	https://github.com/openhive-network/metamask-snap→
Initial Commit	24c253c47856553efd9013e93f5a1a7fab9f8ede
Final Commit	698c11cd4fe84cd60aae401b5e5886b25567e22a
Semantic Version	1.6.0

Review Scope
Repository
https://github.com/openhive-network/metamask-snap→
Initial Commit
24c253c47856553efd9013e93f5a1a7fab9f8ede
Final Commit
698c11cd4fe84cd60aae401b5e5886b25567e22a
Semantic Version
1.6.0

Audit Summary

6Total Findings

4Resolved

2Accepted

0Mitigated

2high

1medium

1low

2observation

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

The repository has a README file, providing clear and detailed information on setup and usage.
The project is well-organized into packages, making it easy to navigate and understand.
Areas to Improve: Add more comments to the codebase to make it easier to contribute and audit the code.

Code quality

Presence of test files indicates a focus on verifying functionality.
Configuration files for ESLint and Prettier ensure consistent code style and formatting.
Code is divided into packages and modules, promoting reusability and maintainability.

System Overview

The Hive MetaMask Snap allows users to interact with the Hive blockchain using their MetaMask wallet. Enabling users to sign transactions and encrypt messages on Hive. Developers can easily integrate Hive functionality into their dApps through simple MetaMask interactions.

Core Components:

Public key management: Retrieves public keys for different roles (posting, active, memo)
Message Encryption/Decryption
Transaction Signing

Findings

Code ―	Title	Status	Severity
F-2025-1046	Private Key Retrieved Unnecessarily During Public Key Derivation	fixed	High
F-2025-1046	Insecure Handling of Private Keys	fixed	High
F-2025-1046	Incorrect Key Validation Logic	fixed	Medium
F-2025-1046	Missing Origin Validation and Over-privileged RPC Endowment	accepted	Low
F-2025-1047	Misleading variable name in EncodeBuffer	fixed	Observation
F-2025-1047	Caret Range Versioning in Dependency Management	accepted	Observation

1-6 of 6 findings

Protect your dApp with insights like these.

Appendix 1. Severity Definitions

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following files from the provided repository:

Scope Details
Repository	https://github.com/openhive-network/metamask-snap→
Initial Commit	24c253c47856553efd9013e93f5a1a7fab9f8ede
Final Commit	698c11cd4fe84cd60aae401b5e5886b25567e22a
Semantic Version	1.6.0

Scope Details
Repository
https://github.com/openhive-network/metamask-snap→
Initial Commit
24c253c47856553efd9013e93f5a1a7fab9f8ede
Final Commit
698c11cd4fe84cd60aae401b5e5886b25567e22a
Semantic Version
1.6.0

Assets in Scope

Metamask Snap - Metamask Snap

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Hacken Extractor