Scouting Vulnerabilities and Detection Techniques in Substrate
Abstract
The necessity for analysis tools emerges as a pivotal need to preemptively identify and mitigate security flaws in pallet and runtime development. Currently, there are no adequate tools available to detect vulnerabilities in pallets, even when considering the tools designed for Rust code or smart contracts. This lack of targeted tools exists regardless of a developer’s skill level. Most existing techniques are not only unsuitable for regular developers due to their complexity but also fail to address the specific vulnerabilities that can be introduced in pallets. We want to create that tool, and make it useful for developers who are not highly skilled in security.
Our proposal aims to bridge this gap by researching a variety of vulnerability detection tools and techniques. We intend to identify techniques that allow for effective vulnerability detection and that can be seamlessly incorporated into the development workflow of Substrate developers.
About Scout
At CoinFabrik, we believe that making a blockchain secure requires integrating vulnerability detection and best practices into the development lifecycle of developers. As proud members of the Polkadot Assurance Legion, we contend that raising the quality standards of projects before their first audit benefits the entire ecosystem.
This is why we developed Scout: Bug Fighter, your open-source companion for secure blockchain development.
In 2023, we focused on integrating Scout into the development cycle of ink! smart contracts. In collaboration with the University of Buenos Aires, we conducted research on different detection technologies applicable for detecting bugs in Rust-based smart contracts. With the support of Web3 Foundation and Aleph Zero, we built Scout, an open-source static analyzer that detects up to 23 smart contract vulnerabilities in ink! code.
To fulfill our vision of bringing secure best practices into the hands of developers, we developed a solution, with both a command-line interface (CLI) and a VSCode Extension, enabling developers to spot vulnerabilities while coding their smart contracts.
Now, a year after beginning our journey, we aim to extend Scout from the realm of smart contract development to parachain development.
Our Plan: Expand Scout’s technology stack for Substrate
Developing secure smart contracts and pallets is crucial as vulnerabilities can lead to significant losses or compromises within a blockchain network. Developers often inadvertently introduce vulnerabilities into their code, which, once deployed, can be exploited by attackers at any moment. For instance, a flaw in minting functions could potentially allow an attacker to mint an unlimited amount of tokens, leading to severe consequences for the entire parachain.
Detecting these vulnerabilities is not straightforward. The challenge of identifying security flaws in code has been an open problem for decades, as evidenced by the continuous introduction of bugs in C code despite 40 years of advancements in analysis tools. The goal of a good analysis tool is to trigger alerts for real vulnerabilities while minimizing false positives and not missing any critical flaws. Various computer science techniques have been applied to tackle this issue across different programming languages, including linting. Linting involves analyzing the syntax of a program to identify errors or bad practices.
For the development of Scout for ink! smart contracts, we explored a range of static and dynamic analysis tools in search of a solution that could seamlessly integrate into the developers’ workflow. We settled on developing linting detectors with Dylint as our primary approach, a Rust linting tool similar to Clippy but which allows the addition of dynamic sets of lints. Our methodology was straightforward: we identified classes of vulnerabilities relevant to smart contracts, we created vulnerable and remediated test-case smart contracts for each class, and then developed detectors that accurately identified the vulnerabilities without flagging the remediated versions.
Our intention is to replicate the same strategy for pallets. This time, our goal is to identify tools and techniques that could be implemented to detect vulnerabilities and deviations from best practices in Substrate pallets instead of ink! smart contracts. Integrating these techniques with Scout would allow developers to easily incorporate their usage into the secure development lifecycle of their projects, particularly using the hover-over warnings our tool offers through the VSCode Extension, or the vulnerability reports generated through our CLI.
This time, we seek to engage more closely with the community in compiling test cases, ensuring a comprehensive and effective approach to securing the ecosystem.
How to Collaborate with us?
We appreciate any insights or references that could help us narrow down our search and add the most current vulnerability classes and techniques into our open source tool. In particular, we are reaching out to find:
- Instances of known vulnerability classes in substrate code and pallets.
- Reports of audits performed on substrate code and pallets.
- Previous public research or open source tool adaptations focused on vulnerability detection on substrate code and pallets.
Overall, our goal is to help developers to incorporate security best practices into their workflows. If you are interested in the sort of open-source solution we propose, please share any insights or suggestions in the comments.