WhiteBIT

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The report can be disclosed publicly after prior consent by another party. Any subsequent publication of this report shall be without mandatory consent.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

The WB Network node codebase stands out for its extensive documentation across all components encompassed by our audit. The README section aligns seamlessly with the requirements. WhiteBIT engineers furnished detailed justifications throughout the audit process, specifically addressing their token minting approach.

While the rationale behind the changes to Clique block sealing was initially unclear, WhiteBIT's engineering team was able to satisfactorily elucidate their motivation and the challenge they were addressing.

The total Documentation Quality score is 10 out of 10.

Code quality

WB Network node is a testament to best practices in Go programming. The project successfully passed a linter run with default configurations, yielding no warnings for any glaring idiomatic Go issues. This stringent adherence to Go's best practices underlines the team's commitment to maintainability, readability, and stability within the codebase.

The token minting logic is robustly supported by unit tests, making it effortless to manipulate certain test cases for exploring various behaviors.

However, we encountered difficulties verifying the MintState contract runtime bytecode and its hash, owing to the absence of adequate instructions.

While the initial code showed a lack of robust error handling and logging in the minting logic, WhiteBIT made requisite updates during the audit. They also provided Hacken's team with the compiler config which greatly eased bytecode reproduction and verification. Also, the issue related to error handling during token minting (WBT-102) was promptly addressed by WhiteBIT engineers.

In regards to block sealing changes, the lack of testing raised concerns regarding their viability and potential deadlock conditions, given their reliance on blocking and concurrency primitives. After conducting our own tests, we gained a clear understanding of the block sealing changes, which were subsequently reverted by WhiteBIT as they didn't resolve block reorganization issues (See WBT-103 issue) as anticipated.

The total Code Quality score is 10 out of 10.

Arquitecture quality

Built on the foundation of Geth, WB Network node boasts of a well-structured architecture.

Initially, the token minting architecture needed to be clarified, appearing as a workaround rather than an organic part of the overall architecture. However, post-audit WhiteBIT updated documentation to leave no questions regarding architecture and also refactored the code to harmonize better with the existing codebase. They opted not to pursue our suggestion of native contracts due to the increased implementation complexity it would entail.

State migrations have been implemented flexibly, with the capacity to perform diverse migrations at different block heights.

It's important to note that block sealing modifications disrupted the miner worker's and sealing subroutines' concurrent functioning. Despite not causing any deadlock conditions, it was evident this didn't solve the block reorganization problem, leading to its subsequent reversion by WhiteBIT.

The architecture quality score is 10 out of 10.

Security Score

Our extensive analysis of WB Network node did not reveal any issues of high severity.

The majority of the issues raised were addressed in the course of the audit.

The prime area of concern was issue WBT-100, which we strongly advised addressing and the WhiteBIT team took this into account after the audit.

A secondary concern was that token minting is controlled manually by the owner of the MintState contract. This approach exposes the process to human error and we strongly advised against this manual operation. In response, WhiteBIT team added sufficient clarifications to the minting documentation and the white paper.

The final security score is 10 out of 10.

Considering all metrics, the total score of the report is 10 out of 10.

The scope of the project includes the following components from the provided repository:

Protocol Audit

WB Network node implementation (fork of Geth v1.10.26)

Genesis, docs, consensus, fork mechanism.

Geth (changes after v1.10.26)

• Bugs and vulnerabilities introduced in later versions of Geth.

Code Quality

• Static Code Analysis.

• Tests coverage.

Protocol Tests

Node Tests

• Environment Setup.

• E2E sync tests.