Hacken & KuCoin: pentests and bug bounties as CEXs’ keys to users’ trust
In May 2021, KuCoin reached Hacken to order Penetration Testing, later they ordered Bug Bounty
Hacken is launching a monitoring tool. Get details and join our beta program
Company Description: EOSBet is a decentralized, demonstrably fair gaming platform on the EOS.IO blockchain. The company offers fun, no fee betting, high-speed games, and an innovative player rewards scheme.
Service: EOS Smart Contract Audit
‘So far we have received 3 audits from Hacken and have found their work to be consistent, detailed and thorough. We are currently developing a solution to allow Bitcoin and Altcoin acceptance on the platform, and plan to hire Hacken again to review this code.’ — CEO EOSBET.
As a platform that has seen over a quarter billion dollars in cryptocurrency wagers placed through smart contracts, security is a top priority. EOS.IO is a completely new and untested blockchain innovation that has an array of quirks, bugs, and unknowns. After the first security breach, the company realized that it was incumbent upon them, as the largest dApp on EOS, to strengthen their security procedures.
EOSBet laid out a detailed internal roadmap of security enhancements, a key piece of which was frequent and thorough audits for each new contract developed.
The two latest smart contracts of EOSBet Hacken audited were their token smart contract and their decentralized account system smart contract. These two contracts are tightly coupled and allow players to gamble without an EOS account (while keeping full custody of their funds). Players can also receive EOS payouts to their account via EOSBet’s dividend token. Since this contract will hold every gamblers’ funds, it’s extremely important that it is safe and secure.
An EOSBet (BET) Token is a standard EOS token with some modifications. This token allows a holder to receive dividend payouts in EOS. The contract directly communicates with the EOSBet Account system contract (deployed to contract address ezeosaccount). When a user transfers their tokens, they also transfer their claimed dividends to the ezeosaccount. This means that users cannot claim dividends with a single account and then transfer their tokens to another account and subsequently claim from both accounts.
Here are 6 different types of token transfers:
Each of these cases has a different logic. We need to track the transfer/receive of BET tokens thereby decreasing/increasing their BET balance. We also must track the number of dividends that the user has claimed so that a user cannot claim dividends after transferring tokens to a new account.
We had always done internal audits, community-based reviews, and public bug bounties, but felt that we should work with an experienced firm. We had spoken to a few different audit companies. Hacken was recommended to us by Nathan James of Scatter, and we found them both professional and reasonably priced.
During an audit, it is necessary to check whether all authentications have been carried out. If the function requires the retrieval of information from a direct source then it is necessary for admin to implement a checkpoint to establish this is the correct source.
Also, it is a good practice to use official libraries when developing the contract, to assist in achieving a clear understanding of the documentation.
A Smart Contract is able to work singly or in conjunction with other contracts. When this contract is interacting with another contract it is necessary to track the connection and ensure that all parameters passed correctly, relevant terms and fees are fully understood and agreed.
After the audit was completed, 2 low optimization issues and 3 best practice recommendations were discovered and presented. Most of the findings of the smart contract audit we disclose for the case study.
Public_key type assumed to contain data array of length 34 bytes.
Instead of coping byte by byte in construction
more efficient to copy vector using assing or std :: copy
user_key.assign(pub_key_data.begin() + 1, pub_key_data.begin() + 32)
TIP: Always use official libraries, so that your resources are presented in the most effective way.
Inside get_token_balance function it is used get method to retrieve data from the table it’s far better to use find a method to avoid exceptions that user doesn’t have Bet token on the balance.
The same bug is in CLAIMDIVSEZ function.
pub_key_str = pub_key_str.substr(3);
Previous instruction is used for extracting a string from position 3 to the end of the string. It is more efficient to use the erase function to perform this goal.
Also for private functions Get_transfer_divs_deduct_sender_by_eos_acct and Get_transfer_divs_deduct_sender_by_ez are better to check using unit tests because they have enough difficult calculations to perform to prevent unforeseen errors.
So far we have received 3 audits from Hacken and have found their work to be consistent, detailed and thorough. We are currently developing a solution to allow Bitcoin and Altcoin acceptance on the platform, and plan to hire Hacken again to review this code.
No system is perfectly secure; no system is without flaws and weaknesses. If you are convinced yours is safe and sound, you just don’t know about potential vulnerabilities yet. Hacken’s specialists know how to secure the future of your business.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email