brahma console A storage and DeFi execution environment built as follows: safe Used as a custody rail, it enables granular access control through transaction policies and roles, as well as automated execution.
Brahma leveraged the Ackee Blockchain to perform a security review of commit 3578883 of the Brahma protocol with total time donations. 8 engineering days in the period between September 25th and October 5, 2023.
methodology
We began our review using a static analysis tool called Woke. We then took a closer look at the logic of the contract. Used Woke testing framework for testing and fuzzing.
We prepared a fuzz test covering the entire project, which yielded H1 and M1 problems.
During the review process, we paid special attention to the following:
- All kinds of signature validation and testing
- Check for possible registry manipulation
- Check for possible replay attacks
- Ensures that guards are not bypassed or lead to DoS
- Ensure access controls are neither too relaxed nor too strict
- Detect possible reentrancy in your code
- I’m looking for common problems like data validation.
range
The audit was performed on commit 3578883 and scoped:
- AddressProvider.sol
- AddressProviderService.sol
- constant.sol
- ExecutorPlugin.sol
- PolicyValidator.sol
- SafeDeployer.sol
- SafeEnabler.sol
- SafeModerator.sol
- SafeModeratorOverridable.sol
- TransactionValidator.sol
- ExecutorRegistry.sol
- PolicyRegistry.sol
- WalletRegistry.sol
- SafeHelper.sol
- TypeHashHelper.sol
For revision 1.1, a review was performed on the specified commit (4589ec4) and the scope was only results.
result
Here we have our result.
critical severity
No critical severity issues were found.
Severity High
H1: Console Permanent Denial of Service
medium severity
M1: _isGuardBeingRemoved check malfunction
low severity
L1: You can enable Console Guard without a policy.
warning severity
W1: Approved addresses cannot be revoked.
W2: CallType in different order than safety task
W3: The registry address cannot be changed.
Information Severity
I1: old document
conclusion
Here are the results of our review: 7 findingsup to information to High Seriousness. The most serious thing discovered through fuzz testing was the possibility of denial of service (H1). Otherwise, the codebase is good quality and well designed.
Currently, H1 and M1 issues have been resolved by the Brahma team.
We recommended to Brahma:
- Update documentation according to the new codebase.
- Addresses all other reported issues.
Ackee blockchain is full steer You can find the audit report with a more detailed description of all findings and recommendations. here.
We were happy to give our thanks. steer We look forward to working with them again.