Blockchain Mainnet Security Audit

The SlowMist team adopts the strategy of "Black-box + Gray-box" to conduct a complete security test on the project in the way closest to the real attack.

P2P

• Sybil Attack
• Eclipse Attack
• Eavesdropping Attack
• Denial of Service Attack
• BGP Hijack Attack
• Alien Attack
• Timejacking

RPC

• Eavesdropping Attack
• Denial of Service Attack
• The Ethereum Black Valentine's Day Vulnerability
• Http Input Attack
• Cross-domain Phishing Attack

Consensus

• Long Range Attack
• Bribery Attack
• Race Attack
• Liveness Denial
• Censorship
• Finney Attack
• Vector76 Attack
• Alternative Historical Attack
• 51% Attack
• Grinding Attack
• Coin Age Accumulation Attack
• Selfing Mining
• Block Double Production

Encryption

• Cryptographic Attacks
• Private Key Prediction
• Length Extension Attack

Transaction

• Transaction Replay Attack
• Transaction Malleability Attack
• Time-locked Transaction Attack
• False Top-up Attack
• Rug Pull Attack

Blockchain Common Vulnerability List：https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md

Cryptocurrency Exchange Listing Security Audit

The SlowMist team adopts the strategy of "Black-box + Gray-box" to conduct a complete security test on the project in the way closest to the real attack. The SlowMist team examines the most concerned vulnerabilities of exchanges, they are as follows:

• Private Key Prediction
• Rug Pull Attack
• Insecure Encryption Library
• Transaction Malleability Attack
• Transaction Replay Attack
• False Top-up Attack
• RPC Theft

This audit scheme is characterized by its low cost and short time. It’s most suitable for blockchains that are based on secondary development of more mature projects, such as Bitcoin-Core, Go-Ethereum, Bitshares, EOSIO, etc.

Code-based Testing Audit

The SlowMist team adopts the strategy of "White-box" to conduct a complete security test on the project.

1. Static Source Code Analysis (SAST)

The SlowMist team checks code quality using open source or commercial code scanners, we support all popular language, such as C/C++/Golang/Rust/Java/Nodejs/C#

2. Manual Code Review

The SlowMist team manually checks the code line by line, looking for common coding pitfalls as follows:

• State Consistency
• Fail Rollback
• Numerical Overflow
• Parameter Verification
• Error Handle
• Boundary Check
• Unit Test Coverage

Community Customized Audit Plan

Based on the characteristics of certain blockchains, such as Polkadot and Cosmos, we have implemented customized security audit measures.

Take Polkadot for example. The Polkadot ecological project uses Substrate as its developmental framework. Developers can focus on the implementation of their business logic without paying attention to the integration of underlying network components and ledgers. Based on these characteristics, we abandoned the blockchain audit project. With regards to the network layer, consensus layer, cryptography, and other underlying modules, we’ve added more detailed audit entries. Those entries added are as follows:

• Replay Attack
• Rearrangement Attack
• Conditional Race Attack
• Access Control Attack
• Block Data Dependency Attack
• Explicit Visibility of Function State Variables
• Arithmetic Precision Error
• Malicious Event Audit
• State Consistency Audit
• Failed Rollback Audit
• Unit Test Audit
• Numerical Overflowing Audit
• Parameter Verification Audit
• Error Trapping Audit
• Bounds Check Audit
• Weights Audit
• Macros Audit