Ultra <> Sentnl Security Audit
Blockchain networks are financial systems that require higher standards of care than a traditional software system. We are proud to announce that the first security audit of the Ultra blockchain codebase has been successfully completed by the Sentnl group. The outcome was extremely positive.
The exemplary work of our blockchain team paid off, and we are now comfortably on the road to releasing our innovations into the wild — happy to know that they have been confirmed safe to use.
The Scope of the Audit
Let’s talk a little bit about the systems that Sentnl reviewed, so that you can understand why it was so critical to have an outside perspective on them.
Resource Level Protocol Changes
As part of Ultra’s general strategy of making EOSIO easy and transparent to use for the majority of users, we’ve dramatically simplified the resource management that users must do on the network.
Users no longer need to acquire RAM to create accounts, and many of the other actions associated with this resource are managed by Ultra. This means that the cost of an account for a user is nothing.
Ultra’s unique resource model merges CPU and NET into a single resource called POWER. Advanced users, like developers, will have granular access to this staking mechanism. Since Ultra provides free transactions that cover most user needs, they will never need to manually manage their staking on our network.
Because we made changes to such core features of EOSIO, a security audit was critical for Ultra to ensure that there were no unforeseen consequences that would impact either our users or developers in the future. Sentnl’s review allows us to move forward with it in certainty that they will only positively impact our users, developers, and publishers.
Transaction Queue Protocol Changes
We have implemented a custom queue that orders transactions first by stake and then by network usage. According to the capacity of the network users with nothing staked to the network can perform free transactions. Each transaction performed adds negative weight to that account, pushing it further down the queue.
Sentnl has reviewed this mechanism and assured us that the implementation works well and does not have security issues that expose either our users or the network as a whole to abuse or manipulation of the queue.
As part of our larger strategy of providing developers with excellent tooling, we have developed a predicate system that allows developers to set actions to run depending on a predetermined resource threshold. This is an immensely powerful tool that allows for a degree of flexibility, freedom, and customization that currently does not exist on any other EOSIO platform.
Easy Blockchain Account Smart Contracts
There has also been many changes to how accounts are managed through the Ultra client via our revolutionary Easy Blockchain Account system.
We are in the process of patenting this system, and as such we can not reveal too much about the specifics of how it functions. What is important is to assure our future users that their accounts and the assets that they hold are secure in a way that no blockchain has ever allowed for in the past.
No more lost keys. No more custodial services. Blockchain as it was meant to be!
On-chain Oracle for UOS/USD Conversion
Our blockchain team has developed an on-chain Oracle for UOS/USD so that we have access to real-time, proven accurate conversion rates.
Sentnl has assured us that the methodology we use to pull data from the many data points we use (exchanges, aggregators), how we process the data, how we produce a moving average of the previous 24 hours, and how we push it on-chain is fraud resistant and works as expected. Below is a visualization tool built internally for QA use that pulls data and produces the moving average.
How Sentnl performed the Ultra audit
As described by Sentnl, each project is broken down into its basic elements: the codebase, the business case, and how it will operate when live. These elements are used to create a threat model map. This map becomes the foundation of the audit process which includes both a line by line code read and fuzzing.
Using their knowledge of other EOSIO chains, and how each contract operates on our system, they performed a functional and operational analysis and did a line read looking for any bugs. Secondly, they performed a code fuzz on the EOSIO code base and functions using a proprietary fuzzer developed by one of their experts.
A line by line code read ensures that the security team understands the base functionality and implementation at an intimate level. They covered tens of thousands of lines of code manually, searching for things like memory leaks, use of iterators in unexpected ways, or other holes which a malicious user could use as a basis for attack.
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Fuzzing was used on the CDT used to compile the smart contracts. This helped Sentnl to assess whether any bugs in the CDT could cause problems for the otherwise well written, bug-free smart contracts.
Using both these processes maximized the amount of bugs and attack vectors that were accounted for.
A Big Thanks to the Sentnl Team
Ultra and the blockchain team would like to send a big thank you to the Sentnl for their hard work and diligence. The peace of mind that they have helped us reach is beyond valuable.
Ultra is the first entertainment platform providing all key games industry services under a single roof, accessible through a single login.
Built around our PC games distribution store, Ultra Games, our platform will provide access to countless centralized and decentralized services: Discover, buy, play and sell your games and in-game items, watch live-streaming feeds, interact with your favorite influencers, participate in contests, compete in tournaments, and much more.
Ultra has been built to provide endless value for players, a fair playing ground for developers, and a whole new world of opportunities for the games industry.
For more information, visit ultra.io and onultra.io and follow along on Twitter, YouTube, Telegram, and Discord.