Security Audit Report on Token Transfer and Smart Contracts

As we prepare to launch the native ONE token through the token swap process, the security of token transfers and smart contract functionalities of the Harmony blockchain is the most critical launch criteria. When token swap is enabled, users will be able to convert their BEP2/ERC20 ONE tokens into native ONE tokens and freely transfer those tokens on Harmony mainnet. To make sure no security issues exist in our protocol, we’ve worked closely with Peckshield, a top blockchain security and auditing firm, to scrutinize every single detail of the core protocol codebase.

Findings

Here is the report (http://harmony.one/audit) delivered by the Peckshield team after extensive fuzzing tests and white-box auditing on our core codebase, covering the following aspects of the protocol.

Out of all the components audited and tested, there were two issues found.

The first issue is related to the missed validity and sanity checks when a cross-shard receipt is first received by a node. This issue allows a malicious attacker to send invalid cross-shard receipts and prevent valid receipts from being processed in time, thus it is classified as medium severity. We immediately fixed this issue after receiving the initial report (code of the fix).

The second issue is on the missing penalty when the leader does not process cross-shard receipts. In general, this issue falls under the problem of transaction censorship for any blockchains. The solution to this issue on Harmony includes: 1) leader rotation; 2) mechanism to detect malicious leader and switch to the next leader with our view change protocol. These two solutions are planned in the next phase of mainnet upgrade when we move towards full network decentralization. In the current phase of Harmony mainnet, no serious security risk exists on this issue because the leaders are highly unlikely to be controlled by malicious validators and also users can choose to resend their cross-shard receipts.

Conclusion

The report concludes with a very high confidence level that Harmony’s blockchain is safe and secure for token-related functionalities including intra-shard token transfer, cross-shard token transfer, cryptographic signatures and smart contracts. The report also speaks highly of our codebase as “neatly organized and elegantly implemented”.

In summary, the Peckshield team did a thorough security audit on our codebase and found two issues which thereafter have been fixed or accounted for. Thus we are confident that the current stage of the Harmony codebase is secure for the launch of token transfer and smart contract functionalities.

We are thankful for the Peckshield team for working hard to meet our tight schedule including during the holidays.

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products. The company was founded by forward-looking, passionate entrepreneurs and veteran researchers, with a strong desire to improve state-of-the-art security of large-scale systems. With a recent focus on blockchains, PeckShield publishes trending reports and provides services and products to identify hidden vulnerabilities (e.g., in smart contracts and consensus protocols), expose zero-day exploits, and defend against emerging threats. Auditing and consulting services are also provided for our clientele and partners.