We recently asked Quantstamp and Consensys to audit the OMG Network to check for low, medium, and high security risks. With the audits now complete, and the reports now out here and here. In our most recent AMA we got Kasima and Vansa to explain what the findings meant in non-technical terms!
- Input validation: In blockchain, transactions are validated via nodes. These nodes verify whether or not transactions are legal (not malicious, double spends etc). Verification is done via complex mathematical formulas and if there is a discrepancy, the transaction is rejected. While our input validation function operated correctly, it also opened the door for someone to craft a certain kind of input that would allow ‘invalid’ inputs to be accepted.
- Unused Code: Let me amend that by saying we’ve removed currently unused code. We had designed a set of features around exchange settlement, but the auditors saw that as unnecessary complexity for the 1st version of our framework, so we took the code out to remove security issues. We still have the option to put the code back in when we want to.
- Denial of service attacks: Another medium-level finding was a denial of service attack on our process exits queue. And that’s because of the way gas stipends were handled. Validating and confirming transactions on the blockchain requires a certain amount of gas (“fee”), depending on the size and type of each transaction. In our case, users would be able to put in play a certain type of contract that would use up all the gas and block the process exits queue. With the process exits queue blocked, users would not be able to withdraw their funds from the system.
- UTXO fragmentation: If your UTXO is lesser than the cost it takes to exit the UTXO, it’s not worth paying the gas for an exit. To bypass that, we now allow people to merge UTXO’s for free. In business-speak, if you have a 25 cent UTXO and the exit cost is more than that, you can merge your 25 with multiple 25’s to turn it into a 1 dollar, and use that dollar to exit instead.
The positives we took from this were how efficiently the team was able to resolve these issues. And the fact that there were no major findings around our protocols that we didn’t know about. We’ll also be involving auditors more iteratively from this point to make the process easier for them and us.