The Neon EVM is a tool that allows Ethereum-like transactions to be processed on Solana, taking full advantage of the functionality native to Solana, including the ability to execute transactions in parallel. As such, the Neon EVM allows dApps to operate with the low gas fees, high transaction speed, and high throughput of Solana, while also offering access to the growing Solana market.
Neon Labs engaged Ackee Blockchain to review and audit their Neon EVM contract between September 26 and November 4, 2022. The entire audit process was conducted with a total time commitment of 33 engineering days. We now publish a summary of our results.
Methodology
The beginning of the audit was dedicated to understanding the Neon EVM program.
Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project’s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities.
When the code review is complete, we run client’s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework Trdelnik. We also deploy programs locally and try to attack and break the system.
Scope
We audited commit eeed4c4fd55e09d30a6a7ae4253a31bdd0bb7a35 of the neonlabsorg/neon-evm repository and commit 49bd848e08502010f6d5f31aa5cea4dac65eaad7 neonlabsorg/evm repository.
During the security review, we paid particular attention to the following questions:
- Is the correctness of the custom EVM ensured?
- Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?
-
Is the code vulnerable to any form of unintended manipulation?
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Selfdestruct early evaluation
M2: The emulation of the spl_associated_token_program will not work
Low severity
L1: Precompiled ecrecover behaves incorrectly
Warning severity
W1: Differences in the system program emulation
Informational severity
I1: Redundant account check
I2: Unnecessary owner check
I3: Unnecessary instruction argument
I4: Unnecessary holder owner validation
Conclusion
Our review resulted in 8 findings ranging from Informational to Medium severity.
Since this was not a classic Solana program, two auditors were involved in the audit – one Solana auditor who checked the evm_loader and one Ethereum auditor who verified the implementation of the EVM itself.
We recommended Neon Labs to:
- address all reported issues.
Update: On November 1, 2022, Neon Labs provided an updated codebase that addresses the reported issues. All of the findings were fixed, except I4. A detailed discussion of the exact status of each issue can be found in the the report.
Ackee Blockchain’s full Neon EVM contract audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Neon Labs and look forward to working with them again.
