In today's landscape, security is more important than ever. That's why C3.io recently commissioned a security audit by Halborn, one of the leading blockchain security firms in the world.
- The Halborn audit found no significant security vulnerabilities in C3.io's platform. This is a testament to C3.io's commitment to security and its focus on protecting its users’ funds.
- The Halborn audit was not just a cursory check but a profound examination of every facet of C3.io's platform. From the code and infrastructure to overarching security practices, everything was scrutinised to ensure utmost protection for its users.
- With two seasoned security engineers dedicated for an entire month, Halborn brought its top-tier expertise to thoroughly assess every nook and cranny of C3.io's platform.
Could you tell me a little bit about Halborn?
Halborn is a leading blockchain security firm that helps organizations secure their Web3 applications, infrastructure, and assets. Halborn's team of experts has a deep understanding of the unique security challenges facing the blockchain industry and is committed to helping clients protect their users and assets. Halborn has worked with some of the biggest names in the blockchain industry, including Solana, Polygon, and Sushiswap. Halborn is committed to helping the blockchain industry grow and thrive by making it a safer place for everyone.
How was the audit conducted?
The security audit of the PyTeal smart contracts was a detailed process, commissioned by C3 and conducted by Halborn. Spanning from July 20th, 2023, to August 9th, 2023, the primary focus of the assessment was the vesting module of the contracts provided to Halborn.
For the assessment, Halborn dedicated two full-time security engineers for an entire month. These engineers were not just any professionals; they were specialists with a profound knowledge of blockchain and smart-contract security. Their expertise ranged from advanced penetration testing and smart-contract hacking to an in-depth understanding of multiple blockchain protocols. The objective of this meticulous audit was twofold: to ensure the flawless operation of the smart contracts as intended and to spotlight potential security vulnerabilities within the PyTeal smart contracts.
To achieve these objectives, Halborn employed a combination of manual and automated security testing techniques. The process began with research to comprehend the architecture and purpose of the smart contracts. This was followed by static analysis, probably using tools like semgrep, which automatically scanned the codebase for known security vulnerabilities without its execution. A manual assessment ensured a hands-on examination of the codebase, targeting vulnerabilities that might elude automated tools. The verification of the correctness of the codebase ensured it was both logically and functionally accurate. Furthermore, dynamic analysis was employed, wherein the smart contracts and related files were executed to identify any vulnerabilities that manifested at runtime.
The identified vulnerabilities were then categorized using a well-defined risk-assessment framework. This framework utilized a combination of Exploitability, which gauges the ease of a vulnerability's exploitation, and Impact, which delineates the consequences of a successful exploit. To further refine the assessment, a Severity Coefficient was introduced. Factors under this coefficient, like Reversibility and Scope, served to provide clarity on the reversibility of an exploit's impact and its reach, respectively. To ensure clarity in representation, a scoring system was established, wherein vulnerabilities were scored between 0-10, with 10 being the highest possible risk. This scoring offered a crystalline understanding of the gravity of each vulnerability.
The culmination of the audit report detailed specific vulnerabilities, categorized based on their severity. It also documented the remediation actions undertaken by the C3 team, complete with dates, offering insights into the proactive measures taken by them in response to the findings.
What were the findings?
During the security audit conducted by Halborn for C3, some vulnerabilities were identified across varying levels of severity. Notably, while there were no critical vulnerabilities found, two were classified as high, three as medium, three as low, and ten as informational. The majority of these vulnerabilities were addressed and rectified by the C3 team, demonstrating our proactive approach to ensuring robust contract security. A few vulnerabilities were acknowledged for future action or were deemed informational, indicating areas for potential improvement rather than immediate threats.
If you want to read more about the recent audit, please read the executive summary here.