Blockchain Audit

At SRLabs, we tackle complex security challenges, and blockchain systems have proven to be an endless source of great security puzzles. We created our methodological process for security validation and presented it to several blockchain development teams.

“We help blockchain technologies to become more mature while having fun discovering new classes of vulnerabilities and innovative attack vectors”

Verify
We review the project design to check whether relevant attack scenarios are covered and mitigated on a protocol level
Check
We test the substrate-based runtime implementation,  discovering as many hacking vectors as possible and pursuing the most promising ones. ​
Remediate
We work in close collaboration with core developers of the project to report and remediate the discovered potential issues.​

Our Approach

We follow a hybrid assessment process:
Threat modeling
Each blockchain project has a different attack surface. This is why we always start our audits with threat modeling, where we map out ideas of how attackers could profit from exploiting each part of the target and list the most likely attack scenarios.
Code review
Manual code review is the core of our security assessments, through which we are able to discover logic bugs. These are the most widespread and impactful security bug category our team typically identifies during an assessment. Finding a logic bug is a complex process that requires the audit team to have a detailed understanding of the protocols involved and business logic, which we gain through establishing a threat model.
Static and Dynamic analysis
To aid our auditing efforts, we implemented static and dynamic analysis tools in-house that cover a wide range of vulnerabilities, from integer overflows to stack exhaustion bugs. These tools include a blockchain runtime fuzzer, the shell of which is open source and custom-tailored semgrep rules.

Why it matters

We believe that we, and the security community as a whole, share the responsibility to help blockchain technology mature and fulfill its potential to securely handle data and assets in a myriad of new and innovative ways.
Finding impactful vulnerabilities
Our main priority is protecting clients from the most likely and serious attacks, often unique to their blockchain. We identify security bugs through our unique threat model-based approach by putting ourselves in the hackers' shoes.
Mitigating found vulnerabilities
We work closely with our clients' core developers, providing both high- and low-level mitigation suggestions and ensuring that the applied changes fix the security bugs and do not introduce further issues.
Helping our clients to implement a secure by design approach
We provide holistic evolution suggestions for protocol design, coding and configuration best-practices, enabling secure development. We encourage our clients to adopt internal threat modelling to help design a product secure at its core.

Explore more

aLL articles
Extended Android security check: SnoopSnitch tests for Java vulnerabilities
Extended Android security check: SnoopSnitch tests for Java vulnerabilities
No items found.
12/5/2022
Blockchain security – Six common mistakes found in Substrate chains
Blockchain security – Six common mistakes found in Substrate chains
No items found.
11/10/2021