Company name: Ambrosus
Company description: Ambrosus is a Blockchain and IoT Ecosystem, built for industrial data management.
Service: Blockchain security review and penetration testing“We appreciated the quality of work done by the Hacken team. They were professional, and thorough in their audit, and allowed us to get a third party perspective on the security of AMB-NET and its accompanying crypto-economic architecture as well as additional tools. If the opportunity presents itself, we look forward to working with them more in the future.” — Dr. Vlad Trifa CPO of Ambrosus.
Ambrosus is a Blockchain and IoT Ecosystem, built for industrial data management. By combining the immutability of a public blockchain with encrypted IoT sensing devices, Ambrosus provides a framework for integrating secure, transparent, and accessible data into the fabric of the physical world. As an Open-sourced Ecosystem Ambrosus allows developers, entrepreneurs, and enterprises to leverage their blockchain and IoT infrastructure to build innovative solutions for the new digital economy.
The project focuses on 2 complex tasks – web/network penetration testing for the deployed nodes, and blockchain security assessment for node codebase and NOP script. Ambrosus agreed to the scope of the work at the start of the project and the review was conducted encompassing the entirety of the scope. The scope includes attacks on all endpoints that are simulated through 4 main classes of potential attackers:
- external attacker
- an external attacker with access to API
- an attacker that hosts a Hermes node
- an attacker that hosts an Atlas/Apollo node
Problems faced by Ambrosus
Ambrosus requested a third-party security audit to help identify potential weaknesses and blind spots across the entire infrastructure of the Ambrosus Network (AMB-NET). This included checking potential entry points that hackers may utilize to compromise the network infrastructure, masternode architecture, smart contract protocols, and Ambrosus powered tools (Dashboard, Explorer, etc.).
Hacken Service Summary
Hacken security consultants imitated hacker activities to test the overall security state of the network. We thoroughly studied the Ambrosus ecosystem and defined crucial checks for a security review. The auditing process is described in the checklist below along with our comments and findings.
- Review of crypto economics specification against potential threats
- Checks for the access control implementation against permissions matrix
- Analysis of potential hash collisions impact
- Analysis of node upgradeability mechanism
- Review of NOP script and analysis of potential threats during deployment
- Testing and code review of token generation mechanism
- Manual review of timeout mechanism
- Analysis of the KYC process
- Manual code review for immutability of data (Merkle proofs etc.)
- Testing against deserialization vulnerabilities
- Analysis of private key storage and usage processes
- Analysis of cryptography implementation
Penetration testing tasks:
- Dump and analyze traffic between nodes
- Testing against privilege escalation
- Docker escape testing
- Fuzzing of APIs (all parameters in GET, POST, PUT requests)
- NoSQL injection testing
- Auto-scanning of the codebase and manual review of auto scanner findings
- Web pentest for Hermes client side
- Network discovery and scanning of the nodes
- DDoS simulation
Security Audit Findings
Based upon the various blockchain related tasks and specific penetration testing simulations, the Hacken team was pleased with the results of the test, and the quality of code on the Ambrosus Platform. While select medium-to-low risk issues were identified, the Hacken team provided clear steps and recommendations on how to fix the presented risks. In response to these recommendations and in light of the positive results of the test, the Ambrosus team accepted the Hacken recommendations and will fix all the security issues identified.
Overall, the security review provided by Hacken focused on blockchain related penetration testing of core components of the Ambrosus Ecosystem. This included among other components, the Node Onboarding Process, a comprehensive review of the crypto-economic infrastructure, Web penetration for the Hermes Masternode client side, as well as a DDoS simulation. The Ambrosus Ecosystem was found to be of high caliber, with only a limited number of medium to low risk issues, that will subsequently be resolved by the Ambrosus team.
According to the review, the Hacken auditors evaluate the security state of the Ambrosus Ecosystem to be highly secure, particularly in light of corrections made by the Ambrosus team from the problems identified. The original code of the Ambrosus infrastructure was noted to be of very good quality. However, with the added fixes, the code is evaluated to be of very high quality.
How Hacken can help
At Hacken, we take security extremely seriously, and all the checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to contact our Team!