Cellframe: Achieve Succeed In The Blockchain Industry With The Power Of Crowdsourced Security

Explore the security challenges of the blockchain industry that Cellframe has encountered and how they overcame them.

Blockchain operates as a decentralized ledger, which means every participant in the network holds a copy of the entire database. This complexity ensures robustness, security, and transparency, as tampering with a single block becomes virtually impossible. However, as the technology evolves, new consensus mechanisms and smart contract languages continue to emerge, adding layers of intricacy to the blockchain landscape.

Cellframe Network is an open-source platform that builds and connects blockchains and services secured by post-quantum cryptography, providing an environment for enterprises and developers to create a wide range of products, from simple low-level t-dApps to fully featured blockchains on the platform.

According to blockchain industry regulations, companies are required to undergo security testing before launching products on the market. Due to the system's complexity and short evaluation time, many previous vendors could not meet the requirements. With the strength of owning a crowdsourced security platform, CyStack took advantage of solving the problem that Cellframe had presented.

The chosen solutions were Blockchain Protocol Audit and Managed Bug Bounty.

Test object: Custom Applications.

Blockchain Protocol Audit is an assessment including reviewing and analyzing its design, implementation, and security to identify vulnerabilities or weaknesses that can be exploited by hackers. The working process includes:

• Review the documentation: Include the whitepaper, codebase, and any other available document to understand its design and functionality.
• Understand the consensus mechanism: This will help to identify any potential weaknesses in the mechanism that could be exploited.
• Perform code review: Perform a thorough code review of the blockchain protocol, looking for potential vulnerabilities such as buffer overflow, SQL injection, and other common software vulnerabilities.
• Test the code: Use automated testing tools to test the code for potential vulnerabilities, including unit testing, integration testing, and regression testing.
• Perform penetration testing: To simulate a real-world attack on the blockchain protocol, including trying to exploit vulnerabilities identified during the code review and testing.
• Evaluate compliance: To ensure compliance with relevant regulations and industry standards.
• Interoperability testing: Evaluate the blockchain protocol’s compatibility with other blockchain networks and systems, ensuring that the protocol can interact with other systems in the ecosystem.
• Performance testing: Evaluate the blockchain protocol’s performance, including its scalability, gas consumption, and usability.
• Create a report: A detailed report with the audit findings of any vulnerabilities or issues identified, and recommendations for addressing them.
• Provide remediation support: Assist with addressing any issues or vulnerabilities identified during the audit, including guidance on how to remediate the issues.

Penetration Testing solution helps detect security vulnerabilities and weaknesses in applications, including exposure of sensitive data and unsafe communication between client-server. Besides, CyStack experts provided Whitebox Testing, which means open box penetration testing, to simulate an attack where an attacker gains access to a privileged account. This approach can complete open access to applications and systems, which is more comprehensive, faster, and less likely to miss a vulnerability.

However, after careful consideration, CyStack’s expert team recognized both the complexity of the system and the limited implementation timeline, which could affect the accuracy of the testing results. Leveraging the advantage of owning WhiteHub, our crowdsourced security platform, we flexibly utilized this existing strength by launching a bug bounty program to increase the number of experts involved in testing, reduce code review time, and accelerate vulnerability discovery.

Through the Managed Bug Bounty program on WhiteHub, the company received numerous valuable reports and identified vulnerabilities across multiple severity levels. Most notably, the total bounty payouts reached tens of thousands of U.S. dollars.

Remediation efforts focused on eliminating potentially risky components, strengthening source code security, improving error-handling mechanisms, and enhancing control over input data. As a result, the system was significantly reinforced in terms of stability, security, and resilience against exploitation attempts.

The bug bounty program is not just an opportunity to demonstrate our commitment to security to our customers; it’s a place where we honor the contributions of the whitehat hackers in today's digital age. To process the project smoothly and be on time as requested by customers, it is crucial to mention the great efforts of our internal team.

Business Development Team:

• Coordinate with the internal team to ensure customer timeline
• Promote the bug bounty program to attract experts.

Security Engineering Team:

• Focused on addressing critical security risks within the application and conducted a comprehensive source code review to improve the system’s overall security and resilience.

A bug bounty program is a type of crowdsourced security that incentivizes individuals or groups, known as “ethical hackers”, to identify and report security vulnerabilities in a company’s software or systems. Companies offer rewards, such as monetary compensation, swags, or recognition, to ethical hackers who can find and report these vulnerabilities.

The purpose of a bug bounty program is to identify and address security vulnerabilities in a timely and efficient manner, while also providing a safe and secure environment for ethical hackers to report vulnerabilities. It helps organizations improve their security posture and reduce the risk of cyber-attacks and data breaches. It also can be used to test the security of a wide range of systems and applications, including web applications, mobile apps, and IoT devices.

One of the places that regularly opens bug bounty programs is WhiteHub, the first and largest community security platform in Vietnam developed by the CyStack team. WhiteHub supports businesses in launching their bug bounty programs to efficiently find vulnerabilities, with the participation of more than 3000 security experts.

For more information, please visit: https://whitehub.net/

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With 200+ businesses and 20,000+ users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/

“We have encountered a few DoS attacks in the past, mostly targeted on our web proxies. The situation was quite complex and we had undergone a challenging process. Fortunately, everything has been handled smoothly.” – said the representative of Cellframe.

“We consider cybersecurity investment to be an important factor in our business development. Enterprises should pay more attention to security issues and take proactive measures to prevent unfortunate incidents.” – Mr. Dmitry Gerasimov, Founder/CEO Cellframe.

“Highly professional team with solid professional skills, comfortable customer support, and understanding of customer needs. We have had more positive experiences working with CyStack and can recommend them to those who want to improve their security.” – Mr. Dmitry Gerasimov, Founder/CEO Cellframe.