Logo
blank Skip to main content
isc-east-logo-header

Meet Apriorit Team

19 – 21 November

Schedule a Meeting

Meet Apriorit at ISC East Conference 2024!

19 – 21 November

|

Javits Center, NYC, USA

Schedule a Meeting
isc-east-logo-header-mob

Meet Apriorit Team

19 – 21 November

Schedule a Meeting

Enhancing Financial Data and Operational Security with a Tezos Wallet and dApp Audit

Blockchain
Security Testing
Fintech
Web3
Wed, 11 August 2021 10:54 am

Share this article

Cryptonomic, a US-based company providing tools and services for blockchain-based financial products, approached Apriorit with a request to audit their Tezos blockchain solutions. Itโ€™s vital to find and fix critical security issues in blockchain-based financial products before their release. Otherwise, the creators of such products risk losing not only time and money but also their reputations and customer trust.

Our team successfully audited a Tezos wallet and a decentralized application (dApp) that consisted of smart contracts, a bot application, and a frontend library. After the audit, we provided the client with a detailed report on discovered vulnerabilities and easy-to-implement recommendations on how to fix them. 

We also offered several non-security-related recommendations aimed at improving the performance of the clientโ€™s dApp and reducing the cost of smart contract operations.

File Icon

Download the PDF version of this case study

2.54 Mb

Contents:

The client

Cryptonomic is a US-based company that creates tools, wallets, and smart contracts for blockchain-based financial solutions. They work with several blockchain networks, including Tezos.

The challenge

The client approached us with a request for blockchain security audit for a crypto wallet application that was recently updated and a new smart contract-based dApp for the Tezos.

As the wallet code had been updated, the client wanted to make sure that all critical data and financial operations the wallet works with remained secure and well-protected.

They also wanted to test their dApp through and through and make sure their smart contracts were flawless before releasing them to the mainnet. 

Want to test the reliability of your smart contracts?

Reach out to Aprioritโ€™s expert testing team for a professional assessment of your contractsโ€™ security, code quality, and resource efficiency, as well as actionable tips for improvements.

The result

After a thorough security audit for the crypto wallet and dApp, the Apriorit team discovered several low- and medium-risk vulnerabilities in the wallet and smart contracts. We also found a logical error in the bot application of the clientโ€™s dApp.

Thanks to timely updates from the Apriorit team, our client was able to eliminate most vulnerabilities shortly after they were discovered. Once we re-checked the fixed code, we provided the client with a detailed report and recommendations on how to address the remaining security issues.

 

The project was successful, helping increase customer confidence in the systemโ€™s security. For a cost-effective fee, Apriorit worked efficiently and delivered excellent results. They communicated well, ensuring their partners felt like they were on the same page throughout the engagement. Read more ยป

 

CTO, Cryptonomic

(Extract from the independent review on Clutch.co)

Our approach

For this project, Apriorit formed a team of competent blockchain developers familiar with the technology stack requested by the client.

Technologies for blockchain audit

We also assigned an experienced project manager to this team to ensure efficient and timely cooperation between our specialists and the client.

After getting familiar with the project, we outlined key security risks for the crypto wallet and dApp to focus on during the audit:

evaluated risks for blockchain audit

For both the wallet and dApp, we outlined four main auditing activities:

  1. Automated static analysis
  2. Manual code review
  3. Unit test coverage analysis
  4. Testing for unexpected behavior
activities for blockchain audit

We also evaluated the overall quality of the source code for each of the audited products. 

The entire process was split into three stages:

stages of blockchain audit

Twice a week, we sent the client a short report with up-to-date information on all discovered security vulnerabilities and their statuses. This way, the client could make a timely decision on whether to fix a certain security issue or not and have us re-check the improved code if necessary.

Letโ€™s briefly go over each of these stages.

Stage 1. Planning and discussion

We started with analyzing the clientโ€™s request and the projectโ€™s specifics, determining the focal points for the audit, and selecting tools and techniques.

For this audit, we outlined several objectives:

  • Evaluate the exposure of the wallet and dApp to known security vulnerabilities
  • Determine potential attack vectors
  • Check if any detected vulnerabilities can be exploited maliciously

Once the preliminary plan and audit schedule were prepared and approved by the customer, we moved to the main stage โ€” running the actual audit.

Read also

Blockchain Attack Vectors: Main Vulnerabilities of Blockchain Technology

Discover which vulnerabilities in blockchain enable common hacking attacks and how to secure your product using our practical advice.

Learn more
Blockchain Attack Vectors: Main Vulnerabilities of Blockchain Technology

Stage 2. Audit of the wallet and dApp

First, letโ€™s take a look at some key points of the wallet audit.

Auditing the blockchain wallet

The client had a desktop wallet application written in TypeScript. Users can use this app to see their balances, send new transactions, and review their operation histories. To connect to the Tezos blockchain network, this wallet uses a custom library. 

We assessed the security of the wallet in three steps:

  1. Performed a general code review, focusing on the analysis of private key exposure risks, smart contract interactions, and external dependencies
  2. Checked the wallet for unexpected behavior
  3. Executed manual attacks based on discovered vulnerabilities
steps of blockchain wallet audit

We audited the wallet application using manual code review and automated static analysis. Once potential vulnerabilities were discovered, we ran manual attacks to check if these vulnerabilities could be exploited by malicious actors.

Auditing the dApp

The clientโ€™s dApp is meant to perform cross-chain atomic swap cryptocurrency exchanges between two blockchain networks: Tezos and Ethereum.

The application has three main components:

  • Ethereum and Tezos smart contracts containing the appโ€™s main logic
  • A frontend library that provides an interface for initializing token exchange
  • A bot application written in JavaScript thatโ€™s responsible for finishing the exchange procedure

To ensure maximum security of the entire dApp, we assessed the security of each component separately:

steps of dapp security audit

As we did when auditing the cryptocurrency wallet, we tested the dApp using manual code review, automated static analysis, and manual attacks based on discovered vulnerabilities.

Our audit showed that the overall quality of the wallet and dApp was high and that the products were mostly secure. However, we did find some low- and medium-risk vulnerabilities in all components except for the frontend library.

blockchain security audit results

Apriorit specialists also discovered an error in the refund logic that wouldnโ€™t cause any security issues but might lead to financial losses in case of high usage of the bot application. 

Additionally, our blockchain specialists discovered that the bot application used an outdated version of the node-fetch dependency. The version used might have contained security vulnerabilities, as the update for it was marked as an important security release.

When auditing the frontend library, our specialists didnโ€™t find any vulnerabilities. However, we discovered other security risks related to the frontend project.

Related project

Smart Contract Security Audit: Penetration Testing and Static Analysis

Explore the real-life case of how our client managed to significantly improve the security and quality of their smart contracts thanks to Apriorit’s thorough audit and detailed report.

Project details

Fixing and reporting

The final stage of the project included three sub-stages:

  • Preliminary reporting
  • Reauditing the fixed code
  • Issuing the final report
reporting on blockchain audit results

Once all planned auditing activities on the clientโ€™s wallet and dApp were finished, we prepared a preliminary report summarizing all information on the discovered vulnerabilities. In the report, we classified all of the vulnerabilities from low-risk to high-risk based on their impact and exploitability and offered suggestions on possible ways to mitigate them.

The client used our report to evaluate the overall state of their products and determine which security issues they wanted to address first.

After the client eliminated all critical vulnerabilities, we once more audited the reworked parts of the code and prepared a final report.

In the report, we outlined the key strengths of the audited product, all discovered vulnerabilities with current statuses (fixed or open), and our recommendations for addressing the security gaps. The report also includes detailed information on the methodologies and risk rating approaches used.

The impact

Regular audits are critical for maintaining a high level of security for sensitive data, especially for companies providing financial solutions. They give you a clear vision of all weaknesses in your product and help you choose the most efficient strategy for eliminating them.

By delegating auditing to Apriorit, Cryptonomic was able to get an objective evaluation of the security of their key products โ€” a blockchain wallet and a dApp โ€” from a team of trustworthy professionals.

Itโ€™s especially important that their smart contract, which was the core of their dApp, was audited before its release to the mainnet. Smart contracts are nearly impossible to change after release. So if you find any code issues after the release, you have two options:

  • Try to apply extremely complex development techniques (which may have severe negative effects on the smart contract itself)
  • Spend extra resources on releasing a new smart contract

Thorough auditing and testing of a smart contract can prevent you from having to make such a choice.

Apriorit specialists also discovered a logical error in the clientโ€™s bot application. Fixing this error will help our client reduce the cost of smart contract operations.

Finally, successfully passing a dApp and crypto wallet security audits was important for our client to build a positive brand image and gain the well-deserved trust of end customers.

Are your smart contracts due for an audit?

Let us plan and perform comprehensive audits to take your smart contract to new levels of security and quality.

Have a question?

Ask our expert!

Maryna-Prudka
Maryna Prudka

R&D Delivery Manager

Tell us about your project

Send us a request for proposal! Weโ€™ll get back to you with details and estimations.

Book an Exploratory Call

Do not have any specific task for us in mind but our skills seem interesting?

Get a quick Apriorit intro to better understand our team capabilities.

Book time slot

Contact us