On 17 July 2023, we subjected several of our developments, including the Tangle Network runtime and the critical substrate pallet,
dkg-substrate, to a rigorous external analysis performed by Security Research Labs. This assessment aimed to identify any potential vulnerabilities in the pallet and ensure our platform's robustness and security. We appreciate the meticulous analysis conducted by the audit team, and we're dedicated to addressing the findings to further fortify our platform. Here, we share the results and our actions to address the three issues identified.
1. Debug_Assert: Ensuring Stability in the Tangle Network Runtime
The audit identified a potential issue with the use of
debug_assert in our webb-rs/proposal module. This could lead to a panic in the tangle standalone runtime if the
wrapping_fee exceeds the permissible range of
0 - 10_000.
If an attacker submits an extrinsic with a
wrapping_fee value exceeding
10_000, nodes compiled in debug mode could panic, potentially leading to inconsistencies in nodes built in release mode due to improper handling of the
wrapping_fee value range.
We've implemented robust checks for the
wrapping_fee value. If the range is exceeded, an error will be returned, maintaining the stability of our runtime environment.
2. Extrinsics: Implementing Storage Deposits/Fee to Safeguard Our Storage
The audit revealed that storage deposit fees are missing for
insert(...) statements in the pallets of our
dkg-substrate and Tangle Network. This could potentially allow an attacker to clutter the storage by repeatedly calling extrinsics that save data into our blockchain database.
Without storage deposits, an attacker could repeatedly call the extrinsic, filling up the blockchain storage at a low cost. This could overload our database, challenging our blockchain's smooth operation and the efficient management of storage resources.
We've implemented additional fees or deposits for all affected extrinsics that save data to our blockchain storage. These deposits will be returned to the caller of the extrinsic once the data is removed from the storage database, ensuring fair resource allocation and storage management.
3. Ensuring Safe Arithmetic Operations in Pallet-Eth2-Light-Client
calculate_min_storage_balance_for_submitter in our
pallet-eth2-light-client could potentially cause an arithmetic overflow if the parameter
max_submitted_blocks_by_account has a high enough value.
This integer overflow could crash nodes compiled in debug mode with overflow checks enabled. On nodes with overflow checks disabled, the minimum calculation for storage balance could wrap around, resulting in a low value.
We've replaced the unsafe math operations with safe math functions or performing overflow checks during math operations. This will ensure the robustness of our calculations and the stability of our
We appreciate the thoroughness of the audit and are dedicated to addressing these findings promptly. As always, we remain open to feedback and queries from our community as we continue to shape a secure and efficient Substrate experience, you can join our community channels to contact our team.
Webb, founded by visionary Drew Stone, is a premier cross-chain zero-knowledge messaging layer, dedicated to redefining blockchain privacy. Seamlessly connecting blockchains with state-of-the-art zero-knowledge technology, Webb offers a suite of tools designed to speed deployment of zero-knowledge (ZK) and multi-party computation (MPC) applications in the multi-chain universe. Backed by industry stalwarts like Polychain, Lemniscap, and Commonwealth Labs, and rooted in deep expertise and contributions to the blockchain space.
For media inquiries, partnerships, or further questions, please contact us at [email protected]