NEAR

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The system users should acknowledge all the risks summed up in the risks section of the report

The Near Protocol, a decentralized application platform designed for scalable and user-friendly apps, has been gaining traction in the blockchain community. With a focus on usability and scalability, Near provides developers with tools to create efficient decentralized applications.

At Hacken, we conducted security research on nearcore, revealing findings ranging from informational to low severity.

Our primary focus was on identifying critical vulnerabilities that could potentially lead to a loss of funds or unauthorized minting of tokens, as well as vulnerabilities that could incapacitate the network or a segment of it.

The logical state of the blockchain in nearcore is split into two components: chain and runtime. These two are the main components in our scope of research. The chain is responsible for block and chunk production and processing, consensus, and validator selection. The runtime is responsible for applying transactions to the state.

We ensured block and chunk production and validation logic for safety, liveness, and correctness. Continuous fuzzing for block and chunk production and serialization didn't yield any issues, only a few false positives and an issue in Arbitrary derivation, which is not part of the scope of of our research. We manually explored the related codebase and tests to learn how it works. We didn't find a way to produce an invalid chunk and include it in the block. The chunk creation and distribution logic is well-designed, having undergone many refactors over the last few years. The use of erasure coding allows only a subset of validators to reconstruct an entire chunk, ensuring data integrity and availability. After checking how incoming chunks are processed and validated, we didn't find an option to corrupt a chunk that would go unnoticed.

In our deep dive into chunk production, we focused on transaction validation and processing. It's crucial to ensure the integrity and accuracy of all related processes. We set up continuous fuzzing for transaction and receipt serialization and also checked related bug bounty findings. There is one very interesting finding that exposes a vulnerability, enabling a hacker to mint tokens from thin air by duplicating receipts. This critical issue was promptly fixed the day after the bug submission and is currently being evaluated for a payout, which is anticipated to be a significant amount, acknowledging the seriousness of the vulnerability. Post-fix, we confirmed that the issue could no longer be reproduced, ensuring the robustness of our system.

Nearcore has an impressive stateless runtime implementation, but it demands a thorough understanding of its design and the mechanisms invented for specific scenarios. We like that it's possible to bundle many actions into one transaction, ensuring they all execute or fail together. As the Near Protocol is a sharded blockchain, it has developed a way to process transactions that go beyond its signer shard. This area seemed ripe for potential issues, but our investigations found it to be robust. We believe, however, that this area still requires vigilant attention from developers due to its potential impact on network economics.

Near supports nine different transaction types. The most significant one allows the execution of smart contracts inside the Near VM. Our approach here involved continuous fuzzing, aiming to identify crashes and subsequently investigate with test code. Most crashes were false positives, but some highlighted gaps in the singlepass compiler. One particular crash could disrupt the contract compilation process, but this has been addressed in the current protocol version.

The blockchain state in nearcore adopts an MPT structure, akin to Ethereum's but with unique modifications. While documentation on this storage approach is sparse, our codebase investigation found its design for recording and committing changes to be sound. We did identify a minor issue with TrieKey serialization related to data separator inconsistency, but this impacts only code quality, not security.

Near boasts comprehensive documentation, illuminating the concepts and architecture of the node and protocol. Additionally, the specifications for all protocol components are of high quality. While we initially found that the runtime crates' documentation was outdated, this has since been updated. Additionally, the previously identified broken links throughout the codebase and readme files have been rectified. These improvements have effectively resolved the minor inconsistencies that could have potentially misled readers or developers.

The total Documentation quality score is 10 out of 10.

The nearcore is renowned for its high code quality, effectively utilizing the capabilities of the Rust programming language and its architectural patterns. As part of their ongoing commitment to security and excellence, the project developers have implemented a significant enhancement in their continuous integration (CI) process. By integrating cargo-audit into their CI system, the Near Protocol team ensures the enforcement of a "no vulnerable dependency" policy, not just as a one-time fix but as a sustained, long-term change. This proactive approach continuously safeguards against potential vulnerabilities. Furthermore, the few vulnerable or outdated external dependencies previously identified have been promptly updated. The Wasmtime dependency has been upgraded to ensure compatibility with its latest version. Concerning the singlepass compiler's validation process during compilation, a low-severity issue, it's noteworthy that a separate validation mechanism within near_vm_runner filters out unsupported features before compilation. The initial concerns regarding the test code quality, specifically adherence to best practices and inconsistent test coverage measurements, particularly for external tests, have been addressed and are now marked as resolved by the Near Protocol team.

The total Code quality score is 10 out of 10.

Architecture quality

The architecture of nearcore is commendable. Designed with sharding at its core, it embodies scalability from day one. While no system is flawless, our comprehensive research did not identify any high-level architectural issues in nearcore.

Code coverage of the project is 10 out of 10.

Our exhaustive research did not unearth any critical security flaws within the audit's scope. However, a few high-severity issues identified by bug hunters were promptly addressed and rectified. At this project stage, we believe that a bug bounty program is invaluable, often leading to in-depth, focused investigations.

In conclusion, nearcore is a high-quality blockchain project.

The total Security score is 10 out of 10.

The comprehensive audit of the customer's smart contract yields an overall score of 10. This score reflects the combined evaluation of documentation, code quality, architecture quality, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository:

Accounts

• Accounts implementation review.

• Security vectors analysis (data availability, nonce…)

Chain

• Tx and receipt implementation review (defaults, timestamps, assembly).

• Block and chunk production and validation logic review.

• Bootstrap review (genesis, seed peers).

• Mempool review (defaults, timestamps).

• Economics and staking model review.

• Standard attacks review (replay, malleability…)

Consensus

• Consensus implementation review (validation, fork…)

• Attack scenarios analysis (liveness, finality, eclipse, double spend…)

• Upgrade mechanisms review.

Runtime/VM

• Runtime implementation review.

• VM implementation review.

• Smart contract implementation review.

• Known VM Vulnerabilities review.

• Attack scenarios analysis (Gas, race, stack, DoS, state implosion…)

• Contract storage implementation review.

Light client integration

• Light client block validation logic review.

• Light client execution proof verification logic review