Taking security seriously: two top ICP features assessed by Trail of Bits
Two top Internet Computer features — SNS DAOs and Chain-key Bitcoin (ckBTC) — were recently assessed by Trail of Bits, a leading technical security auditor operating as a center of excellence for blockchain security. No high-severity issues were found.
Written by Robin Künzler
The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, best practices, and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as Trail of Bits and NCC Group, specializing in software security assurance.
Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public to allow the community an independent view of a feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance.
Recently, two main Internet Computer features — Chain-key Bitcoin (ckBTC), a decentralized bitcoin twin, and Service Nervous System (SNS), a DAO framework — were assessed by Trail of Bits. No high-severity vulnerabilities were found, and both features received positive assessments with mainly low-severity issues and consistently positive code maturity evaluations. See the assessment reports for ckBTC, and SNS (2022 assessment, 2023 assessment).
What is Trail of Bits?
Headquartered in New York and operating globally since 2012, Trail of Bits specializes in combining high-end security research with a real-world attacker mentality to reduce risk and fortify code. The organization provides technical security assessments and advisory services to some of the world’s most targeted organizations, helping to secure critical software elements that support billions of end users, including Kubernetes and the Linux kernel. Trail of Bits also operates a center of excellence for blockchain security. Notable projects include audits of Algorand, Bitcoin SV, Chainlink, Compound, Ethereum 2.0, MakerDAO, Matic, Uniswap, Web3, and Zcash.
Assessment scope, tools & techniques
Trail of Bits was called in to assess the security of SNS and ckBTC functionality specifically. Both features were released within the last year, and are gaining traction among developers and end users, so it was a good time to initiate an external security assessment in addition to rigorous internal checks. As for the SNS DAO feature, it was crucial to investigate whether asynchronous SNS canister smart contract interactions are vulnerable to a class of software bugs called time-of-check / time-of-use (TOCTOU) that are caused by race conditions, or if the SNS token swap functionality is vulnerable to double-spending attacks. Having the ticket-based payment protocol reviewed for correctness was also essential to ensure a safe user experience.
With regards to ckBTC, which involves holding, sending, and receiving bitcoin, it was necessary to initiate checks that assess whether it is possible to double-spend funds or execute denial of service attacks. It was equally important to make sure the ckBTC minter could not be tricked into signing invalid transactions or burning ckBTC without spending bitcoin.
Security researchers at Trail of Bits conducted three assessments in total, employing manual code security review combined with automated testing to reveal security issues in various aspects of each feature, and to evaluate the solidity of each feature’s project goals.
Reviewing the security of ckBTC
Chain-key Bitcoin (ckBTC) is a “Bitcoin twin” on the Internet Computer that is backed 1:1 by bitcoin (BTC) such that 1 ckBTC can always be redeemed for 1 BTC and vice versa. It provides a more secure alternative to other tokens pegged to bitcoin as ckBTC does not rely on any third-party bridges for the conversion between BTC and ckBTC. Since ckBTC tokens can be transferred with finality in a matter of seconds and transaction fees are substantially lower compared to regular Bitcoin transactions, it is a viable solution for applications that can benefit from fast, reliable, and inexpensive Bitcoin transactions.
As ckBTC involves transferring bitcoin value, having the feature assessed for potential security risks was a high priority for DFINITY and its community. The assessment covered testing the possible risks including three key areas: double-spending of funds, denial-of-service attacks, and insufficient access controls. It must be guaranteed that the total bitcoin amount held under custody must always be at least the total supply of ckBTC tokens (the total ckBTC supply being smaller due to transaction fees) to maintain the 1:1 peg. Taking this into consideration, it is of paramount importance to prevent double-spending of funds to mint ckBTC without supplying the corresponding BTC amount, for example. It must also not be possible to burn ckBTC without paying out the corresponding BTC amount, or paying out more than was burned.
As ckBTC has the potential to become a key enabler for an evolving Bitcoin economy, it must always be available. Denial-of-service attacks against the ckBTC functionality could therefore have dire consequences if successful. Hence, security checks for this were added to the Trail of Bit’s assessment protocol along with insufficient or missing access controls.
No medium or high-severity findings in ckBTC
The Trail of Bits security expert team meticulously scanned the ckBTC codebase, verifying that the code is consistent with the specification, as well as searching for bugs in the code, such as misconfigured access controls, arithmetic overflows, or rounding errors, that may lead to security issues. Overall, the verdict was very positive, and the expert team emphasized the feature’s great code quality (see the code maturity evaluation). There were no findings with a “High” or “Medium” severity rating, and only two “Low” findings were identified as well as three “Informational” findings. Looking at Trail of Bits’ codebase maturity evaluation, “Authentication / Access Controls” and “Testing and Verification” were rated as “Strong” and all other aspects as “Satisfactory”. In addition to some inconsistent error logging, the “Informational” findings revealed some minor concerns with the risks of insufficient validation of upgrade parameters.
All “Informational” findings as well as the “code quality recommendations” were well noted by the DFINITY engineering teams and have been addressed since the completion of the assessment. The two low-severity findings were related to the Know Your Transaction (KYT) process. Currently, it is centralized on a single KYT provider, and the KYT API keys are stored inside the canister. These findings had already been identified by DFINITY and the Internet Computer community, and remain valid concerns. The rating regarding the centralization issue is low, as it is unlikely that the KYT provider would supply wrong information on purpose. Moreover, the KYT provider could be replaced, if necessary, or more providers could be added in the future through a canister upgrade. The API keys can hypothetically be read by the node operators of the subnet where the ckBTC canisters are deployed, but this risk is low because it would require quite an effort to extract the API key, which is of little use to the attacker and can easily be replaced. Since DFINITY agrees with the low-severity rating, it was decided to accept these risks for the time being.
In summary, with the exception of the two low-severity findings around KYT, all findings and the code quality recommendations have been addressed, as our fix notes reveal.
Stress testing SNS DAOs
The Service Nervous Systems (SNS) feature is a decentralized autonomous organization (DAO) framework. Essentially, it is a mechanism that allows any dapp built on the Internet Computer to be handed over to an SNS — a DAO that gives the ownership and control of the respective dapp to the community to further develop and govern. Each SNS includes a stake-based governance system that orchestrates decision-making and changes, as well as a ledger that defines a unique token for each SNS DAO. This SNS framework has an established procedure leading to a launch: an SNS is created, the governance control is distributed to users in a decentralization swap whereby initial funds are collected in exchange for governance control, and then the dapp’s control is handed over to the new SNS.
As there are funds at stake, and each SNS DAO consists of many canister smart contracts interacting in an asynchronous nature, having the feature assessed for potential security risks was a high priority. With the main goal of protecting the end users, it is necessary to ensure that no double spending during a swap is possible and that no tokens could get lost. With regard to the asynchronous nature of canister interactions, security checks were conducted to make sure there was no risk of re-entrancy and time-of-check / time-of-use issues. Since the SNS life cycle has many states, it is important to ensure that only legal state transitions are allowed, and are consistently synchronized between canisters. The assessment also included standard checks such as access control and arithmetic.
A two-part review
The first part of the review focused on a specific phase of the project, predating the test launch in Fall 2022. The assessment targeted the key elements of the SNS framework, from the SNS swap canister to the SNS root canister, which controls all SNS canisters and dapp canisters, to the SNS ledger, the SNS governance mechanism, and the NNS (the DAO that governs the Internet Computer) involvement in SNS launches and upgrades. As the architecture of this feature is quite intricate, it was important to conduct security checks for each of these components.
At the beginning of 2023, the feature went live on the mainnet with the first community project successfully becoming an SNS DAO. Other projects followed over the first half of the year. Due to increased activity and interest in SNS launches, technical optimizations and new added functionalities to the SNS swap canister, including a ticket system, a top-up review was needed. This follow-up review targeted the SNS framework again with another round that included checking for re-entrancy and time-of-check / time-of-use issues in relation to asynchronous canister interactions, i.e. between the SNS swap canister and the ICP ledger, SNS ledger and SNS governance canisters. The assessment tested for double spending vulnerabilities as well as the correctness of the new ticketing system in the Swap canister and verified the handling of states between canisters to ensure the SNS governance mechanism was intact. All major touchpoints of the SNS framework were thoroughly reviewed, from the Community Fund (now called Neuron Fund) to the ICRC-1 ledger, to the SNS ledger and SNS Swap canister.
Findings & fixes
Overall, the SNS feature received a positive assessment, with notable mention of having proper access control for privileged application programming interfaces, careful token arithmetics and defensive canister interactions, including Temporal Logic of Actions (TLA +) models that automatically and systematically screen code for reentrancy bugs.
No high-severity issues were found in either review. The 2022 assessment highlighted one medium-severity, two low-severity and four informational issues as points to fix. In particular, the medium-severity issue (TOB-DFSNS-1) involved the use of a custom SNS token transfer fee that was causing the creation of SNS neurons to fail. After the issues were fixed, the Trail of Bits team conducted a fix review (see Appendix A in the report for the details). All issues have been resolved except for two informational ones which do not constitute a threat to the system.
The second assessment in 2023 resulted in one medium-severity, one low-severity and two informational findings. The medium-severity issue (TOB-DFSNSR-3) highlights an error reporting bug which could prevent users from participating in the swap. Since the completion of the review, all issues have been addressed (see fix notes). The review also included a list of quality recommendations such as simplifying code for improved readability. All recommendations have been considered and applied with exception of one.
Taking security seriously
In addition to external security reviews, DFINITY’s product security team systematically prioritizes new features and their associated risks for internal security reviews. These reviews are part of the software development lifecycle, and consist of design reviews even before development starts. During development, incremental implementation security reviews are required before a feature goes live. These usually include a combination of manual code reviews, and static and dynamic security testing, the results of which are recorded in detail in internal reports.
Engineering teams then take ownership of the security bugs found in their respective components, following an internal protocol on how these security bugs are handled.
Empowering the ecosystem
DFINITY’s product security team also assesses the security of canisters, including dapps serving the web. In these reviews, several classes of real world security vulnerabilities are evaluated, including re-entrancy, TOCTOU, lack of decentralization, DoS, authentication, and crypto bugs. The learnings from these reviews can also benefit the IC community.
Taking the security of the Internet Computer seriously means empowering the ecosystem with tools and tips to create safe and robust dapps. To pass the learnings from internal reviews on to the community, a security best practices guide was published to help the ecosystem avoid bugs early on in their development lifecycle. Recently, DFINITY also open-sourced its TLA+ models with a step-by-step tutorial to help developers create similar models for their canisters. These formal models were developed internally to ensure correctness of feature designs. They have been applied to canister interactions in major Internet Computer features, including SNS and ckBTC, as well as parts of the underlying protocol stack.
Finally, the security and robustness of the Internet Computer is a collaborative effort. The community is encouraged to report any potential security bugs related to the core components of the blockchain through the bug bounty program. Also, discussion and input on the security best practices are very welcome on the forum. With both internal and external measures in place, the chances of creating the most secure, tamperproof blockchain are increased. This is crucial, especially in a world where Web3 attacks are still on the rise. As per the Global Web3 Security & AML Report 2022, the total loss incurred in the Web3 attacks in 2022 amounted to almost $3.6 billion, which is 47.4% higher than in 2021.
See all DFINITY security reports
Ask questions about the security assessments on the Forum
Learn more about the Internet Computer:
DevTwitter | Dev Forum | YouTube | GitHub | Developers Center | Discord
