On 17 July 2023, we subjected several of our developments, including the Tangle Network runtime and the critical substrate pallet, dkg-substrate, to a rigorous external analysis performed by Security Research Labs. This assessment aimed to identify any potential vulnerabilities in the pallet and ensure our platform's robustness and security. We appreciate the meticulous analysis conducted by the audit team, and we're dedicated to addressing the findings to further fortify our platform. Here, we share the results and our actions to address the three issues identified.

1. Debug_Assert: Ensuring Stability in the Tangle Network Runtime

The Challenge

The audit identified a potential issue with the use of debug_assert in our webb-rs/proposal module. This could lead to a panic in the tangle standalone runtime if the wrapping_fee exceeds the permissible range of 0 - 10_000.

The Risk

If an attacker submits an extrinsic with a wrapping_fee value exceeding 10_000, nodes compiled in debug mode could panic, potentially leading to inconsistencies in nodes built in release mode due to improper handling of the wrapping_fee value range.

Our Solution

We've implemented robust checks for the wrapping_fee value. If the range is exceeded, an error will be returned, maintaining the stability of our runtime environment.

2. Extrinsics: Implementing Storage Deposits/Fee to Safeguard Our Storage

The Challenge

The audit revealed that storage deposit fees are missing for insert(...) statements in the pallets of our dkg-substrate and Tangle Network. This could potentially allow an attacker to clutter the storage by repeatedly calling extrinsics that save data into our blockchain database.

The Risk

Without storage deposits, an attacker could repeatedly call the extrinsic, filling up the blockchain storage at a low cost. This could overload our database, challenging our blockchain's smooth operation and the efficient management of storage resources.

Our Solution

We've implemented additional fees or deposits for all affected extrinsics that save data to our blockchain storage. These deposits will be returned to the caller of the extrinsic once the data is removed from the storage database, ensuring fair resource allocation and storage management.

3. Ensuring Safe Arithmetic Operations in Pallet-Eth2-Light-Client

The Challenge

The function calculate_min_storage_balance_for_submitter in our pallet-eth2-light-client could potentially cause an arithmetic overflow if the parameter max_submitted_blocks_by_account has a high enough value.

The Risk

This integer overflow could crash nodes compiled in debug mode with overflow checks enabled. On nodes with overflow checks disabled, the minimum calculation for storage balance could wrap around, resulting in a low value.

Our Solution

We've replaced the unsafe math operations with safe math functions or performing overflow checks during math operations. This will ensure the robustness of our calculations and the stability of our pallet-eth2-light-client.

-

We appreciate the thoroughness of the audit and are dedicated to addressing these findings promptly. As always, we remain open to feedback and queries from our community as we continue to shape a secure and efficient Substrate experience, you can join our community channels to contact our team.

About Webb

Webb, founded by visionary Drew Stone, is a premier cross-chain zero-knowledge messaging layer, dedicated to redefining blockchain privacy. Seamlessly connecting blockchains with state-of-the-art zero-knowledge technology, Webb offers a suite of tools designed to speed deployment of zero-knowledge (ZK) and multi-party computation (MPC) applications in the multi-chain universe. Backed by industry stalwarts like Polychain, Lemniscap, and Commonwealth Labs, and rooted in deep expertise and contributions to the blockchain space.

https://webb.tools

Contact Information

For media inquiries, partnerships, or further questions, please contact us at [email protected]