Neon Labs engaged Ackee Blockchain to review and audit their SPL Governance contract between June 27 and July 22, 2022. The entire audit process was conducted with a total time commitment of 26 engineering days. We now publish a summary of our results.
The beginning of the audit was dedicated to understanding the SPL Governance program.
Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project’s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities.
When the code review is complete, we run client’s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework Trdelnik. We also deploy programs locally and try to attack and break the system.
We audited commit f13d7e7c1507819306797688ce0bb1f6950a5038 of the neonlabsorg/neon-spl-governance repository, specifically programs: maintanance/program, addin-fixed-weights/program, addin- vesting/program, governance-lib.
During the security review, we paid particular attention to the following questions:
- Is the correctness of the custom addins ensured (does it correctly implement spl-governance contract specification)?
- Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?
- Is the code vulnerable to voting manipulation?
Here we present our findings.
C1: Possibility to manipulate a voting process while using the fixed-weights addin
C2: When using the addin-vesting (for realm), the first user will be able to decide on any proposal after his deposit
No high severity issues were found.
M1: Possibility to decide on a proposal without a sufficient voting weight
M2: Possibility of a DoS attack that prevents the creation of a valid maintenance record
L1: Using find_program_address instead of create_program_address
No warning severity issues were found.
I1: Unused account
I2: Misleading docs
I3: Hanging accounts
Our review resulted in 8 findings ranging from Informational to Critical severity.
The most severe one (C1) would allow the attacker to increase the weight of their vote to such an extent that they could practically decide on any proposal themselves. It was immediately reported to the client.
We recommended Neon Labs to:
- address all reported issues;
- monitor the SPL governance program and apply major changes in the future, as the program is still in active development.
Update: On September 5, 2022, Neon Labs provided an updated codebase that addresses the reported issues. All of the findings were acknowledged and some of them fixed (C1, M2, I1, I2, partially I3). A detailed discussion of the exact status of each issue can be found in Appendix A of the report.
Ackee Blockchain’s full SPL Governance contract audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Neon Labs and look forward to working with them again.