Scouting Vulnerabilities and Detection Techniques in Substrate

Scouting Vulnerabilities and Detection Techniques in Substrate

Abstract

The necessity for analysis tools emerges as a pivotal need to preemptively identify and mitigate security flaws in pallet and runtime development. Currently, there are no adequate tools available to detect vulnerabilities in pallets, even when considering the tools designed for Rust code or smart contracts. This lack of targeted tools exists regardless of a developer’s skill level. Most existing techniques are not only unsuitable for regular developers due to their complexity but also fail to address the specific vulnerabilities that can be introduced in pallets. We want to create that tool, and make it useful for developers who are not highly skilled in security.

Our proposal aims to bridge this gap by researching a variety of vulnerability detection tools and techniques. We intend to identify techniques that allow for effective vulnerability detection and that can be seamlessly incorporated into the development workflow of Substrate developers.

About Scout

At CoinFabrik, we believe that making a blockchain secure requires integrating vulnerability detection and best practices into the development lifecycle of developers. As proud members of the Polkadot Assurance Legion, we contend that raising the quality standards of projects before their first audit benefits the entire ecosystem.

This is why we developed Scout: Bug Fighter, your open-source companion for secure blockchain development.

In 2023, we focused on integrating Scout into the development cycle of ink! smart contracts. In collaboration with the University of Buenos Aires, we conducted research on different detection technologies applicable for detecting bugs in Rust-based smart contracts. With the support of Web3 Foundation and Aleph Zero, we built Scout, an open-source static analyzer that detects up to 23 smart contract vulnerabilities in ink! code.

To fulfill our vision of bringing secure best practices into the hands of developers, we developed a solution, with both a command-line interface (CLI) and a VSCode Extension, enabling developers to spot vulnerabilities while coding their smart contracts.

Now, a year after beginning our journey, we aim to extend Scout from the realm of smart contract development to parachain development.

Our Plan: Expand Scout’s technology stack for Substrate

Developing secure smart contracts and pallets is crucial as vulnerabilities can lead to significant losses or compromises within a blockchain network. Developers often inadvertently introduce vulnerabilities into their code, which, once deployed, can be exploited by attackers at any moment. For instance, a flaw in minting functions could potentially allow an attacker to mint an unlimited amount of tokens, leading to severe consequences for the entire parachain.

Detecting these vulnerabilities is not straightforward. The challenge of identifying security flaws in code has been an open problem for decades, as evidenced by the continuous introduction of bugs in C code despite 40 years of advancements in analysis tools. The goal of a good analysis tool is to trigger alerts for real vulnerabilities while minimizing false positives and not missing any critical flaws. Various computer science techniques have been applied to tackle this issue across different programming languages, including linting. Linting involves analyzing the syntax of a program to identify errors or bad practices.

For the development of Scout for ink! smart contracts, we explored a range of static and dynamic analysis tools in search of a solution that could seamlessly integrate into the developers’ workflow. We settled on developing linting detectors with Dylint as our primary approach, a Rust linting tool similar to Clippy but which allows the addition of dynamic sets of lints. Our methodology was straightforward: we identified classes of vulnerabilities relevant to smart contracts, we created vulnerable and remediated test-case smart contracts for each class, and then developed detectors that accurately identified the vulnerabilities without flagging the remediated versions.

Our intention is to replicate the same strategy for pallets. This time, our goal is to identify tools and techniques that could be implemented to detect vulnerabilities and deviations from best practices in Substrate pallets instead of ink! smart contracts. Integrating these techniques with Scout would allow developers to easily incorporate their usage into the secure development lifecycle of their projects, particularly using the hover-over warnings our tool offers through the VSCode Extension, or the vulnerability reports generated through our CLI.

This time, we seek to engage more closely with the community in compiling test cases, ensuring a comprehensive and effective approach to securing the ecosystem.

How to Collaborate with us?

We appreciate any insights or references that could help us narrow down our search and add the most current vulnerability classes and techniques into our open source tool. In particular, we are reaching out to find:

  • Instances of known vulnerability classes in substrate code and pallets.
  • Reports of audits performed on substrate code and pallets.
  • Previous public research or open source tool adaptations focused on vulnerability detection on substrate code and pallets.

Overall, our goal is to help developers to incorporate security best practices into their workflows. If you are interested in the sort of open-source solution we propose, please share any insights or suggestions in the comments.

16 Likes

Glad to be a part of the amazing team behind Scout! Here are some references that we’ve gathered so far:

4 Likes

Correct. Such a tool would add a lot of value to the Polkadot ecosystem. Detecting vulnerabilities is difficult for ant developer ( even the most experienced ones). These vulnerabilities are usually discovered once a hacker exploits them. Preventing these exploits, or even reducing their frequency, would be very beneficial.

Overall, this is a great initiative!

3 Likes

Thanks, @CoinFabrik for this initiative and for the work you are doing. I am sure that a reliable and safe ecosystem is all we need if we want to reach a wide Polkadot acceptance.

Static analysis is a powerful tool and after reviewing the code on GitHub I can say that I like your approach. I think many attack vectors are based on logical mistakes made in code so certain hacks can be considered regardless of a chain (like price manipulation); thus, it can make sense to consider reviewing and replicating some functionality of well-known scanners and tools from Ethereum.

1 Like