Security Services For E Money Network Blockchain

Score:
9.3 /10
Background Image

Overview

Our goal in Blaize.Security is to secure blockchain ecosystems, ensuring the security of the foundation – the blockchain itself. Recently, we finished several stages of security services for the E Money Network – starting with a blockchain security audit. E Money Network is a Cosmos-based blockchain, which utilizes Evmos for EVM support. We worked directly with the blockchain node, ensuring the security of natively developed Cosmos modules for network Regulation, checking the integrity of the EVM layer, and reviewing the details of governance/validator mechanisms implemented on the Cosmos side of the chain.

Services: Blockchain infrastructure improvement Blockchain Protocol Audit Blockchain upgrade procedures Post-audit patching
Technologies: Cosmos Evmos

Task

During our audit, we processed the E Money Network codebase via several streams of security reviews:

1) Review of the standard vulnerable areas, including but not limited to:

  • Storage structure, stored data structure
  • Public interfaces and restrictions
  • Communication flow and interfaces between different modules
  • Global settings of the protocol and local settings of each module, the default settings, and misconfiguration risks
  • Modules co-dependencies and 3rd-party dependencies
  • Denial-of-Service (DoS) attack surfaces
  • Order-dependency and time-dependency of operations
  • Validations of parameters of functions/methods/messages and return values
  • Golang language-specific checks

and other potential vulnerabilities and attack vectors;

2) Protocol-specific checks – business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;
This stage included the review of all main components of the protocol:

  • structure of the Regulations and Lock modules, implementation in terms of Cosmos SDK practices, correct settings and public interfaces
  • the genesis of the blockchain – including a check of correct values for both modules and their correlation with the core chain genesis procedure and genesis export procedures
  • storage export via standard Cosmos flows
  • validators’ onboarding flows, their regulation within the logic of the audited modules
  • correctness of Evmos integration
  • the integrity of the storage

And other key areas of the protocol

3) Several rounds of manual tests of the protocol over the privately deployed network; verification of txs for both Cosmos and EVM sides;

4) Our own internal security checklists, additionally verified during the testing stage.

Lately, the requirements were extended to include the post-audit procedures and support:

  1. Post-audit patching for several discovered issues, thus implementing all the recommendations provided during the audit
  2. Assistance with the upgrade of the supported Evmos version up to the Evmos 12.1.6
  3. Implementation of the up-to-date network upgrade flows (on the testnet level) – including corrections for storage exporting, initialization of the network with new genesis and Cosmovisor flow integration
  4. Patching of the testnet launch mechanism including upgrade of the node container.

Protocol Overview

Basic Workflow

The scheme for Locks module flow of the E Money Network protocol we audited – as one of the logic decomposition streams the team worked on.

Protocol Overview Image

E Money Network is a public permissioned blockchain that offers MiCA compliant infrastructure and integrates KYC and AML processes on-chain – thus, ensuring its ability to offer bank-grade services. E Money Network utilizes the most popular Cosmos-based solution for EVM-compatible networks – native Cosmos SDK and Tendermint for the Cosmos side of the chain, and Evmos for the EVM side of the chain.

Our audit is focused on the E Money Network, implemented on Golang and Cosmos SDK. The scope included Regulation and Lock modules of the chain, which are responsible for the registration of users and onboarding validators respectively. Auditors also worked on the chain itself – during several manual exploratory testing rounds over the locally deployed private version of the network. Thus auditors were able to test the full validators onboarding flow, governance mechanisms, allowlisting of users, and both Cosmos and EVM transactions. The audit was bound to the current testnet version of the E Money Network.

The primary objective was to identify and describe any security issues within the codebase, and decompose and validate business logic to explore any kinds of logic flaws and missed edgecases. The team worked from the Cosmos side of the chain, however auditors instantly checked the integrity of the EVM-layer integration as well. Thus, our audit scope included validation of the implementation itself, review of the business logic, system analysis of the protocol, in-depth review of the code line-by-line, and several rounds of testing with the application of different techniques.

Also, at the latest audit stages, the scope was extended to include the assistance of the security team with the resolution of issues: the team provided a round of post-audit patching over the discovered issues, together with the improvement of the chain upgrade pipeline.

Smart Contract Security Audit Procedure

Our audit process encompassed manual and testing stages:

Manual Audit Stage

  • Manual line-by-line code review by 2 security auditors with crosschecks and validation from the security lead;
  • Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
  • Business logic inspection;
  • Protocol decomposition and components analysis with building interaction schemes and sequence diagrams;
  • Storage usage and integrity review;
  • Global protocol settings and local modules settings review:
  • Math operations and calculations analysis;
  • Analysis of the interfaces and their restrictions, both public and internal (cross-module);
  • Access control and roles structure review;
  • Review of dependencies, 3rd parties, and integrations;
  • Code quality, documentation, and consistency to best practices review.

Testing Stage

  • Development of edge cases based on manual stage results;
  • False positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Tests against the integrity of the storage;
  • Exploratory tests for transitioning on both Cosmos and EVM sides;
  • Node upgrade testing

Upon completion of the audit, we delivered a comprehensive smart contract security analysis report to the E Money Network team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Post-Audit Services

  • Post-audit patching of the discovered issues
  • Integration of the up-to-date node upgrade pipeline
  • Upgrade of the supported Evmos module
  • Upgrade of the node launch container and procedures

Audit Result

The Blaize.Security team confirmed the sufficient security level of the E Money Network blockchain in its current testnet status – thus the protocol successfully passed the security audit.

During the audit, the security team discovered several issues of different risk levels – from the missed edge-cases and outdated dependencies up to chain-level issues. The E Money Network team verified or resolved most of the issues. Also, the security team provided patching as well – resolving several issues connected to the genesis state validation and Evmos upgrade. However, it should be noted that the chain’s current state is alpha-testnet (upgraded to the beta-testnet after the audit). Therefore, some security measures are less strict, and some issues are left unresolved for the next iteration.

The E Money Network chain successfully passed the security audit, and the security team noted the high level of cooperation from the E Money Network side and the willingness to make the necessary codebase improvements. Thus, several patches were provided by the security team and accepted by the EMC team, including recommendations on the chain upgrade procedure. However, the security team recommends adding more documentation, especially natspec comments, and improving the state of native tests.

Audit Result Image

In conclusion, the E Money Network chain implementation complies with high level of security, which was estimated by Blaize as Highly Secure scoring 9.3 out of 10. From all points of view, the protocol shows high compliance with the security standards. Though the result is applicable to the codebase itself, testnet will share the same level of security only after the upgrade – however, the E Money Network team already planned the upgrade from the current alpha-version to the beta-testnet with all improvements included.

Score:
9.3 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.