Ackee Blockchain Completes Neon’s Governance Audit

Neon Labs
Neon Labs
Published in
3 min readOct 12, 2022

Between June 27 and July 22, 2022, Ackee Blockchain conducted a security audit of Neon’s Governance contract. The Ackee Blockchain team is composed of auditors and white hat hackers who perform security audits and assessments including code review, testing, automated analysis, and local deployment/hacking.

At the end of the 26-day audit process, a Findings and Recommendations report was delivered to the Neon Labs team. In this article, we’ll outline the scope, goals, and process of the Ackee security audit and summarize the notable findings.

Scope of the Security Audit

Ackee Blockchain focused the security audit on understanding and reviewing the Neon SPL Governance contract. In addition, the team reviewed the source code and security of the Neon maintenance program and custom add-ins. The specific commit audited was f13d7e7c1507819306797688ce0bb1f6950a5038 of the neonlabsorg/neon-spl-governance repository.

The programs covered include:

  • maintanance/program
  • addin-fixed-weights/program
  • addin- vesting/program
  • governance-lib

During the review, Ackee paid particular attention to:

  • whether the SPL-governance contract specifications are implemented correctly for the custom add-ins.
  • whether the programs correctly use dependencies or other supporting programs (e.g., SPL dependencies).
  • whether the code is vulnerable to voting manipulation.

Purpose/Goals of the Security Audit

Neon Labs always strives to reach the highest security standard for our services and platforms, including Neon Governance. The Ackee discovered findings from the audit that will be urgently addressed and will continue to challenge and motivate our product team.

The main goal of the security audit was to assess the security posture of the SPL governance contract and associated programs to identify potential vulnerabilities. Ackee Blockchain aimed to meet this goal through a review of the targeted source code and documentation, execution of a penetration test, and evaluation of the testing process.

The Security Audit Procedure

1. Code Review

Ackee began the security audit by reviewing the specifications, sources, and instructions related to Neon’s SPL Governance contract. Following the initial review, the Ackee team conducted a manual line-by-line review of Neon’s in-scope source code.

2. Testing and Automated Analysis

Following the code review, Ackee ran automated tests to ensure the SPL Governance contract functioned as intended. As part of the testing, Ackee also wrote missing unit or “fuzzy tests” using their Solana testing framework, Trdelnik.

3. Local Deployment + Hacking

In the final steps of the security audit, Ackee initiated a white hat hacking campaign to try and manipulate the system based on their findings from steps one and two. Programs were deployed locally in an attempt to attack and break the in-scope system. Hacking is a beneficial way to round out the audit and ensure there are no additional holes in the source code and platform.

Neon EVM Security Audit Outcome

The Ackee Security Audit presented findings by categorizing issues according to severity, impact, and likelihood. The results identified some core issues and mandatory clean-ups for the Neon Labs team to address, along with some recommendations to be implemented.

The security audit identified eight issues that range from critical to informational in terms of severity. The Neon Labs team has reviewed these issues and has already begun to address them.

The two critical issues identified by the audit are as:

1. It is possible to manipulate the voting process while using the fixed-weights addin.

This vulnerability allows users to select a number higher than 100%, which gives additional weight to their vote to such an extent that a single user (member of governance) could practically decide on any proposal by themself.

2. When using the add in-vesting (for realm), the first user will be able to decide on any proposal after their deposit.

In this scenario, the first user who calls a deposit can immediately create a proposal and vote for it. Since their vote would have 100% weight, the proposal would be marked as successful.

Conclusion

We hope you found this article informative. If you have any questions about the security audit of Neon’s SPL Governance contract, don’t hesitate to reach out. You can contact the team via Discord. Lastly, stay connected with the team on Twitter, GitHub, YouTube, and Medium for more development updates and announcements.

--

--