Today, per Grin request, we are making public Coinspect’s Grin security audit report, which fully describes the engagement scope, our findings, and Grin remediations.
During February 2019, Coinspect conducted a security audit of the Grin project’s MimbleWimble blockchain implementation.
After the Grin team fixed all the findings reported, Coinspect verified its remediations during the months of August and September 2019.
The following areas of the code were selected by Grin as the main focus for this engagement and were reviewed:
- Grin core crate
- Grin keychain crate
- Grin chain crate
- Grin wallet crate
The objectives of the assessment included, but were not limited to, identifying the following types of security vulnerabilities: full system compromise, denial of service attacks, information disclosure, network protocol weaknesses, input validation, and misaligned incentives in consensus rules.
As a result of the Coinspect audit, several issues were discovered:
All these findings have been properly addressed by the Grin team and their fixes verified to be correct by Coinspect.
Most vulnerabilities described in the report can be grouped into the following categories, and special care should be taken to prevent these patterns from appearing again in the codebase:
- Directory path traversal leading to remote code execution
- Memory corruption vulnerabilities in unsafe code blocks located in third-party libraries
- Denial of service caused by Rust panics, expects, and unhandled error conditions
- Synchronization process denial of service caused by out-of-order P2P messages
- Storage-based denial of service caused by failure to clean up temporary files
- Node censorship through node ban feature abuse
- Failure to ban ill-behaved nodes leading to CPU-based denial of service
- Lack of validation of orphan blocks
- Insecure file handling leading to local privilege escalation
It is worth noting that even though the project was coded in Rust, the audit team found vulnerabilities that resulted in remote code execution and memory corruption.
Additionally, during the engagement, Coinspect identified the following high-level weaknesses and suggested them as future work goals in order to improve the overall security of the project:
- Rust third-party dependencies
- Transaction pool and new eviction policy
- Transaction and block processing time
- Transaction creation workflow
Further detailed suggestions can be found in the full report.
Overall, Coinspect found the project source code to be clearly organized and readable. Most design and implementation decisions were oriented toward maintaining simplicity and were documented. We believe the Grin team has clearly made security a top priority concern in its project development.
Finally, we would like to highlight the Grin team’s prompt and transparent response to the only critical vulnerability we found, which resulted in an almost immediate fix and Grin’s disclosure of CVE-2019-9195.