The Neon EVM is a tool that allows Ethereum-like transactions to be processed on Solana, taking full advantage of the functionality native to Solana, including the ability to execute transactions in parallel. As such, the Neon EVM allows dApps to operate with the low gas fees, high transaction speed, and high throughput of Solana, while also offering access to the growing Solana market.
Neon Labs engaged Ackee Blockchain to review and audit their Neon EVM contract between September 26 and November 4, 2022. The entire audit process was conducted with a total time commitment of 33 engineering days. We now publish a summary of our results.
Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project’s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities.
When the code review is complete, we run client’s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework Trdelnik. We also deploy programs locally and try to attack and break the system.
During the security review, we paid particular attention to the following questions:
- Is the correctness of the custom EVM ensured?
- Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?
Is the code vulnerable to any form of unintended manipulation?
Here we present our findings.
No critical severity issues were found.
No high severity issues were found.
M1: Selfdestruct early evaluation
M2: The emulation of the spl_associated_token_program will not work
L1: Precompiled ecrecover behaves incorrectly
W1: Differences in the system program emulation
I1: Redundant account check
I2: Unnecessary owner check
I3: Unnecessary instruction argument
I4: Unnecessary holder owner validation
Our review resulted in 8 findings ranging from Informational to Medium severity.
Since this was not a classic Solana program, two auditors were involved in the audit – one Solana auditor who checked the evm_loader and one Ethereum auditor who verified the implementation of the EVM itself.
We recommended Neon Labs to:
- address all reported issues.
Update: On November 1, 2022, Neon Labs provided an updated codebase that addresses the reported issues. All of the findings were fixed, except I4. A detailed discussion of the exact status of each issue can be found in the the report.
Ackee Blockchain’s full Neon EVM contract audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Neon Labs and look forward to working with them again.