Halborn Penetration Testing and Security Auditing
Service Details and Scope of Work
Client has communicated the need for penetration testing and security auditing of THORNode Stack, tendermint based chain, a front end application, and a serverless backend that supports application functionality. Any penetration testing services performed throughout this engagement will be an active hands-on engagement performed by the Halborn team using deep security inspection to identify critical vulnerabilities before they are exploited by adversaries and in the real world. The penetration test will simulate the activities and tactics typically performed by threat actors to ensure the client reduces its exposure for the assets in scope. Client understands that there is a risk if critical issues are discovered, that availability may be temporarily impacted.
Penetration Testing and Security Auditing
- Cross-chain Interactions and Signer (Bifröst) and THORChain vaults:
- Test for correct handling of finality and fork resistance (ErrataTx events) on various chains.
- Testing state machine processes (ordering transactions, computation of state changes, and delegation to outbound vaults)
- Review the block-scanner for error handling and correctness.
- Review threshold multisig implementation.
- Test for exploitable interaction with UTXO and EVM chains.
- Blockchain edge cases and transaction anomalies (low gas, block re-orgs, suspicious tokens)
- Testing the security of inbound and outbound vaults (Asgard TSS and Yggdrasil)
- Fetching, messaging, and interactions from client side extension.
- Proxy and Aggregator components.
- Other daemon interactions identified.
Web Application Testing
- Perform code review and penetration testing against midgard layer 2 REST API and the 'thor-api'.
- The scripts, transactions, and posts that are injected between the Client interface and the backend components interacting with Blockchain RPCs.
- Client Side Code developed by Thorchain.
- Any key, address data, transaction history or other PII that is stored on the client-side, or within the browser databases, sessions, or localstorage.
Contract and Module Testing
- Testing of relevant Cosmos / Tendermint / EVM modules for issues.
- Churning / ygg.
- Funding / rescheduling.
- Swaps / liquidity functions.
- Other contract functions identified.
- Solidity router.
- Vault contracts.
- Vault handling.
Infrastructure and Architecture
- Review the Terraform and Kubernetes deployment scripts.
- Thor-gateway proxy.
- Deploy a full cluster, and perform active penetration tests against the systems.
- Identify any weaknesses around key management within clusters.
To conduct an effective test, prior to starting the engagement, the Client will provide
Halborn with:
- Deployment steps or instructions to successfully deploy a node or the necessary infrastructure in scope for testing.
- If necessary, a video or instructional demonstration of normal use or operation of the scoped assets.
- The list the application or server/node endpoints and website/server assets in scope.
- The list of the specific web applications/APIs and URLs to be tested for the authentication asset and web application.
- If applicable, the list of specific IP addresses and/or web applications that need to be excluded from testing.
- The points of contact to escalate issues, or troubleshoot and to log or track issues.
- Credentials to access targets, if needed.
- API methods, Subdomains/URLS, and other locations of interest.
- Infrastructure details/versions/configurations/platforms of target assets
- Access to source code repository as necessary.
- Source code in scope for target assets web components.
- API definitions (i.e. Swagger/OpenAPI/Postman Collections)
- Any other technical information deemed necessary for a whitebox audit.
Results and Conclusion Reports
During the test, Halborn will update the internal Thorchain team with necessary details or findings primarily through communication in a shared and private channel. Findings may also be communicated verbally or through email if more information is required. At the end a report will be created on all service areas covered, with risks, vulnerabilities, steps taken, and remediation recommendations.
** Testing Disclosures**
Halborn will use and leverage many penetration tools and tactics used in offensive security engagements, and should be aware of possible adverse results in each. Clients should disclose to Halborn any boundaries or issues with assets. Because phishing is in scope, More details on
potential testing impact: Client understands that default, vendor-supplied username and password combinations are tested during these scans based on the service detected and may result in locked accounts. Client understands that the load on systems and networks may increase during testing. Web Application and APIs Client understands that all URLs identified by the tool will be tested. All identified forms will be submitted multiple times to properly test for injection-type vulnerabilities. Client understands that these tests could generate emails and/or miscellaneous information submitted in form fields and other input fields. List specific directories, URLs, or forms that need to be blacklisted (excluded) from web application testing (if any) Client understands that scanning could increase the size of server logs and result in increased load on the application. Client understands that limited password guessing may be performed against user accounts or keys that are collected during testing. Client understands that testing could result in files being created and/or modified on target systems. Client understands that certain exploits such as buffer overflows could result in target systems or services being disrupted.Client understands that Service Provider may retrieve encrypted/hashed Client passwords and attempt to crack them to obtain the clear text values. Client understands that Halborn may download specific columns and tables from the databases, and attempt to extract sensitive information.
Halborn will attempt to clean up remnants of testing tools and payloads (files, services, etc.) that were used during the penetration testing activities.
Logistics
- Notification Preferences Halborn will communicate with Client through telegram messaging platform as well as email, slack and phone. The list of individuals to be notified and communication preference for notification shall be identified prior.
- Frequency and timing of status updates: Weekly
- Source IP address of Testing (if required): To be provided by Halborn.
- HALBORN INC Key Contacts / Call Chain
Cost of Service
Client agrees to utilize Halborn for SOW of work as written in this contract during the term of this Agreement for the Services to be rendered under this Agreement and agrees to pay Halborn $50,000 USD worth of USDC and 10,000 $RUNE payable at the start of the engagement.