Grant Application: Infrastructure Security Assessment

Grant Title:
Infrastructure Security Assessment

Author:
@glory.eth

About You:
Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as Uniswap, Matter Labs, Circle, Solana, Dapper Labs, Polygon, Animoca Brands, Sushi, and many more.

Halborn personnel have audited hundreds of projects across multiple ecosystems and across numerous chains. We have extensive experience in not only smart contract audit/assessment, but also in off-chain analysis covering cloud infrastructure, web applications, servers, and mobile applications.

Our technical team is composed of best-of-breed talent with specific practice areas broken out across: Off-Chain, Cloud, DevOps, and On-Chain. Within our On-Chain division we have numerous engineers working on specific ecosystems, blockchains, and use cases (DeFi, Gaming, etc.). We also run a Special Ops team which is typically leveraged for complex and/or novel protocols operating across multiple chains.

Share relevant information about yourself or your team, including educational background, prior experience, motivations, or any other details that demonstrate your qualifications for the grant.

Additional Links:
Website - halborn(dot)com
Twitter - @HalbornSecurity
Github - github(dot)com/HalbornSecurity/PublicReports

Grant Category:

  • CoWmunity growth
  • User interface and user experience (UI/UX)
  • Decentralization
  • Development of new Solvers
  • Developer tools (SDK)
  • Integrations and protocol order flow
  • Other miscellaneous areas :white_check_mark:

Grant Description:
We are seeking a grant to perform a comprehensive infrastructure audit for CoW Protocol.

Purpose & Motivation
Infrastructuring auditing, also known as pen testing, is a critical feature of a robust and comprehensive cybersecurity plan. While many DAOs and Web3 companies are (rightly) focused on smart contract auditing as a key pillar of their security, infrastructure auditing is just as important, particularly for large protocols.

Whereas smart contract auditing focuses on the contracts themselves, infrastructure auditing targets the various “non-smart contract” attack surfaces - web apps, mobile apps, bridges, cryptocurrency wallets, cloud infrastructure and more. Proactively identifying vulnerabilities in these areas allows CoW Protocol to repair potential weaknesses before they can be exploited by malicious actors.

According to our research, off-chain attacks are a growing threat and a significant source of losses. A closer examination of the top 50 attacks by loss reveals that off-chain attacks accounted for a staggering 40% of the total losses. This percentage has been steadily increasing over time, reaching 61% of losses and 70% of all attacks by type (on-chain vs. off-chain) in 2023 alone.

One notable example illustrating off-chain vulnerabilities was the Badger hack in 2021, resulting in $120mm of losses. This breach was facilitated by a script injection on their website. Another common vulnerability lies in private key theft or leakage, which can result from attacks on protocol servers and databases, social engineering, or other attack vectors. For instance, the Mixin Network hack in September of this year exploited a vulnerability in their cloud service provider’s database, resulting in losses totaling $200mm. However, perhaps the most significant case is the Ronin Bridge attack, which led to a staggering $624mm in losses. A comprehensive audit of the entire ecosystem might have potentially thwarted these attacks.

In this regard, Halborn has played a significant role in enhancing the off-chain security of various protocols. While many of the reports remain confidential, some of our critical finds include detecting unauthorized access to sensitive data in the project database; secret exposure of the database’s admin secret key; potential SQL injection vulnerabilities in other databases and misconfigurations on a Firebase database that could allow an attacker mostly free range on it.

Among our public reports, we would like to highlight:

  • The Aptos Wallet WebApp pentest.

    • We found a total of 6 critical vulnerabilities, including the possibility for an attacker to obtain the mnemonic passphrase from the clipboard storage; the ability of an attacker to execute malicious code using the exported wallet functions, triggering a Denial of Service on the extension and the Browser; race condition in the function used to sign messages as well as no confirmation required from the user and the possibility for an attacker who has compromised a user’s machine can exfiltrate and steal their mnemonic phrase as well as the password
  • HBarSuite WebApp and SmartNode FrontEnd and BackEnd pentest

    • In this case, Halborn engineers discovered two critical vulnerabilities, which allowed an attacker to perform a Denial Of Service to the smart nodes and a vulnerability that caused a user to not be able to claim back the liquidity or observe the liquidity added into the different pools of the protocol.

Infrastructure auditing also provides valuable insights into how well CoW Protocol’s security controls are functioning. It’s not just about finding vulnerabilities, but about understanding how effectively the protocol’s defenses can resist and respond to different attack scenarios. This hands-on testing allows CoW Protocol to fine-tune its security measures and ensure they can stand up to real-world threats.

Critically, infrastructure auditing is an iterative process, most effective when performed annually so that prior vulnerabilities can be re-tested (to determine the effectiveness of fixes) and new vulnerabilities identified.

Scope of Work
Halborn will conduct penetration testing of [[DAO]]’s non-smart contract threat surfaces such as web apps, cloud, infrastructure, and more. Halborn will use an active hands-on approach using deep security inspection to identify vulnerabilities. The penetration test will simulate the activities and tactics typically performed by threat actors. During the test, Halborn will update [[DAO]] with necessary details or findings.

Halborn will perform the infrastructure audit following these steps or phases:

  • Mapping Content and Functionality
  • Configuration and deployment
  • Identity Management flaws
  • Authentication/Authorization Flaws
  • Session handling
  • Business logic flaws
  • Rate Limitations tests
  • Brute Force Attempts
  • Input Handling
  • Fuzzing of all input parameters
  • Multiple Type of Injection (SQL/JSON/HTML/Command)
  • Client-side testing
  • Error handling
  • Weak Cryptography
  • Source Code Review

Deliverables
After testing, Halborn will create a report that provides details of all service areas covered, with risks, vulnerabilities, steps taken, and remediation recommendations.

Grant Goals and Impact:
The goal of this grant is to substantially increase the security of off-chain attack surfaces across CoW Protocol. Going through the process of ensuring tight off-chain security can significantly increase overall user confidence, increasing the user base and the size of the community and significantly enhancing protocol decentralization and safety.

Milestones:

Please identify the key milestones that will help track the progress of your grant. Use the provided table as a summary and expand on each milestone description and deliverables below.

Milestone Due Date Payment
Milestone 1 - Scoping Exercise To be Scheduled with Committee N/A
Milestone 2 - Project Initiation Upon signing 50% of grant amount
Milestone 3 - Delivery of Assessment Report End of Project 50% of grant amount

Milestone 1
Team will need to complete a scoping exercise in order to determine an accurate price, as projects are based on time, complexity, length of codebase, etc. We can get on a quick scoping call to make sure teams are aligned on what is in/out of scope and to help provide the Grants Committee with the information they need to make a decision on this grant.

Milestone 2
Once grant is accepted and a scheduled start date determined, Halborn will begin the Infrastructure Security Assessment process, going through the steps defined in the Grant Description section above.

Assessments are typically led by a full time Senior Engineer and supervised by a Technical Lead. VP of Security is also involved in the process. These will be the contact points for the Grants Committee for any questions and to keep apprised of progress.

Milestone 3
After testing, Halborn will create a report that provides details of all service areas covered, with risks, vulnerabilities, steps taken, and remediation recommendations.

Halborn will exercise due care in removing testing tools, payloads, and other files or artifacts used during the assessment after the completion of testing. Halborn will make every attempt to avoid business interruption during the course of the penetration test.

Funding Request:
To determine an accurate price, a scoping exercise will be required, which we can complete on a call with the Grants Committee. Funding is preferred in xDAI.

Budget Breakdown:
Funds will be allocated for compensation to the Halborn personnel assigned to the project.

Gnosis Chain Address (to receive the grant):
Halborn Finance will set up a new wallet upon grant acceptance.

Other Information:
A public repository of our work can be found here: GitHub - HalbornSecurity/PublicReports

Referral:

N/A

Terms and Conditions:

By submitting this grant application, I acknowledge and agree to be bound by the CoW DAO Participation Agreement and the CoW Grant Terms and Conditions.

1 Like

Dear Applicant,

Thank you for submitting your grant proposal. We are eager to review it. Please be aware that due to the recent renewal of our grants program and the holiday season, we are currently experiencing a delay in our review process. This may result in an extended timeline for the grants committee to establish their procedures and provide you with specific feedback. We appreciate your understanding and patience during this time.

Thank you @middleway.eth, and completely understand on the extended timeline. If there are any questions I can answer, please let me know.

I support this proposal. Security assessments are essential in building trust with our growing community.

Apparently the team has had discussions with Halborn in the past for a security review, but this hasn’t eventually worked out mainly de to the high cost.
At this moment in time there’s no appetite to reconsider this.

Thanks for the grant proposal :pray: