Smart Contracts Code Review and Web Application Penetration Testing

Client

Yggdrasil is an ecosystem of DeFi applications with a native token, EDDA.

The Yggdrasil ecosystem consists of:

  • Decentralized Asset Management – Yggdrasil’s Vault and Gain platforms provide automated yield optimization. The crypto assets are allocated across different DeFi protocols by the smart contracts.
  • NFTs and Digital Art – Yggdrasil has partnered with leading motion graphic designers and 3D artists to create a specially curated collection of digital art and NFTs that will be exclusively accessible to EDDA Token holders.
  • EDDASwap – EDDASwap is a decentralized exchange to facilitate permission-less listing and trading of crypto assets across blockchains.
  • Decentralized Launchpad – the platform will allow crypto projects to raise capital in a decentralized manner, and will provide EDDA Token holders the opportunity to purchase tokens at seed stage valuations.

Challenge

The biggest challenge was to determine the correct functioning of the contract according to its specification and the vulnerabilities that could be exploited by an attacker.

Goals of Smart Contract Audit:

  1. Determine contract bugs that might lead to unexpected behaviour.
  2. Analyze whether the best practice was applied during contract development.
  3. Provide recommendations to improve contract security and readability.
  4. Inconsistency between specification and implementation.
  5. Identify defective design, logic, and access control.
  6. Check arithmetic overflow (integer overflow).
  7. Re-entrance, code injection, and denial of service attacks.
  8. Check loops for miner attacks on timestamps and orders, and transaction order dependency (TOD).

Solution

HackControl team has the smart contract scanned with static code analysis tools for security and manually verified vulnerabilities, and conducted a line-by-line analysis of the code.

The smart contracts were tested to check their business logic and blockchain interactions. The tests covered each contract and included different use cases.

Technical report with remedy recommendations was provided to improve contract security.

Web Application & API Penetration Testing

Challenge

The biggest challenge was to detect possible vulnerabilities and shortcomings that can lead to a violation of confidentiality, integrity, and availability of information, provoke incorrect system operations or lead to a denial of service, possible financial losses, economic risks or even failure of their token sale.

Goals of penetration testing:

  • identify technical and functional vulnerabilities & evaluate their severity level (ease of use and impact on information systems)
  • make a prioritized list of recommendations to address identified weaknesses

Scope of penetration testing:

  • Company websites
  • API (stage & production environments)

Solution

Hackcontrol carried out a penetration test of the client’s web application, infrastructure, and API using a generally accepted industry-wide approach to perform penetration testing of web applications (OWASP Testing Guide).

First, Hackcontrol collected information about the client’s IT systems that were going to be tested, performed automated vulnerability scanning to get security experts prepared for the next active phase.

Then Hackcontrol started an analysis of vulnerabilities and threats of the application and API. Detection of vulnerabilities in the systems and real attack simulation showed certain issues in the application.

Even though the application didn’t have a big IT infrastructure and their API was behind Cloudflare, Hackcontrol team found a way to detect vulnerabilities. If these were not found, the client would have faced issues in conducting their token sale.

Finally, a report with recommendations for improving customer’s security was provided.

Types of vulnerabilities & configurations checked by Hackcontrol:

  • Cross file scripting and request forgery
  • Injections (SQL, no SQL, XPath)
  • Local and remote file inclusion
  • Access control mechanism
  • Web Server configuration
  • Error handling
  • Session management
  • Operating system
  • Network components
  • Insecure direct object references
  • Cross file scripting and request forgery
  • Web Server configuration
  • Session management

Hackcontrol has made a list of recommendations to address the vulnerabilities and improve the client’s security.

Contact us