Rhinestone is dedicated to turning smart accounts into an open platform for innovation. They aim to create a secure and interoperable ecosystem of modules, facilitate permissionless smart account innovation, and enable developers to build powerful on-chain products with a seamless UX.
The module registry is the foundational layer of Rhinestone’s technology stack. Its primary function is to store on-chain security claims made by independent auditors, thereby enforcing standards and security assurances for users and developers.
Linestone has contracted with Ackee Blockchain to conduct a security review of the Linestone Module Registry for a total of 7 days from April 10, 2024 to April 19, 2024.
methodology
We started our review using static analysis tools. wake up With the Tools for Solidity VS Code extension. Then we delved deep into the logic of the contract. We used the Wake testing framework for testing and fuzzing.
During our review, we paid special attention to the following:
- Verifying module deployment cannot be abused.
- Detects possible reentrancy in your code.
- Identify possible frontrunners,
- Confirm denial of service attack,
- Ensure that access control is neither too lax nor too strict.
- I’m looking for general issues like data validation.
range
An audit was performed on the commit. 6f5e84aThe exact scope is the following files:
- ./Core/Attestation.sol
- ./core/AttestationManager.sol
- ./core/modulemanager.sol
- ./core/resolvermanager.sol
- ./core/schemamanager.sol
- ./core/signatureteststation.sol
- ./core/trustmanager.sol
- ./core/TrustManagerExternalAttesterList.sol
- ./lib/AttestationLib.sol
- ./lib/helpers.sol
- ./lib/module distribution library.sol
- ./lib/moduletypelibrary.sol
- ./lib/stublib.sol
- ./lib/trustlib.sol
- ./common.sol
- ./datatype.sol
- ./registry.sol
result
Here we present our research findings.
Critical severity
No serious problems were found.
High severity
H1: threshold = 1 Optimized DoS
Medium severity
M1: Random call to factory
M2: The prover is not duplicate-removed.
M3: registerModule Front runner
M4: trustAttesters Depressed
Low severity
L1: Resolver 1-stage ownership transfer
Warning Severity
W1: Denial of distribution and attestation services
W2: Inconsistent rollback error
W3: EIP-712 Compliant
W4: findTrustedAttesters Revert if there is no prover
W5: trustAttesters No address verification
W6: Inconsistent data validation
W7: TrustLib High bit is not cleared
Information Severity
I1: Multiple interfaces
I2: Inconsistent parameter naming
I3: Duplicate code
I4: Modifier Placement
I5: There is no NatSpec documentation.
I6: _storeAttestation False comments
I7: NewTrustedAttesters event
conclusion
Our review yielded 20 findings ranging from informational to high severity.
Ackee Blockchain recommends Rhinestone as follows:
- Remove optimization
threshold = 1, - Separate factory logic into neutral contracts.
- Addressing the risks of being a leader,
- Implements two-step ownership transfer.
- Addresses all other reported issues.
Ackee Blockchain’s full Rhinestone Audit Report, which includes a more detailed explanation of all findings and recommendations, can be found here.
We are very happy to have appreciated Rhinestone and look forward to working with you again in the future.