Cellframe: Achieve Succeed In The Blockchain Industry With The Power Of Crowdsourced Security

Explore the security challenges of the blockchain industry that Cellframe has encountered and how they overcame them.

Blockchain operates as a decentralized ledger, which means every participant in the network holds a copy of the entire database. This complexity ensures robustness, security, and transparency, as tampering with a single block becomes virtually impossible. However, as the technology evolves, new consensus mechanisms and smart contract languages continue to emerge, adding layers of intricacy to the blockchain landscape.

Cellframe Network is an open-source platform, layer 0, programming language C++. It builds and bridges blockchains and services secured by post-quantum encryption, therefore offering an environment for enterprises and developers to build a vast array of products ranging from simple low-level t-dApps to whole other blockchains on top of its network.

According to blockchain industry regulations, companies are required to undergo security testing before launching products on the market. Due to the system's complexity and short evaluation time, many previous vendors could not meet the requirements. With the strength of owning a crowdsourced security platform, CyStack took advantage of solving the problem that Cellframe had presented.

The chosen solutions were Blockchain Protocol Audit and Managed Bug Bounty.

Test object: Custom Applications.

Blockchain Protocol Audit is an assessment including reviewing and analyzing its design, implementation, and security to identify vulnerabilities or weaknesses that can be exploited by hackers. The working process includes:

• Review the documentation: Include the whitepaper, codebase, and any other available document to understand its design and functionality.
• Understand the consensus mechanism: This will help to identify any potential weaknesses in the mechanism that could be exploited.
• Perform code review: Perform a thorough code review of the blockchain protocol, looking for potential vulnerabilities such as buffer overflow, SQL injection, and other common software vulnerabilities.
• Test the code: Use automated testing tools to test the code for potential vulnerabilities, including unit testing, integration testing, and regression testing.
• Perform penetration testing: To simulate a real-world attack on the blockchain protocol, including trying to exploit vulnerabilities identified during the code review and testing.
• Evaluate compliance: To ensure compliance with relevant regulations and industry standards.
• Interoperability testing: Evaluate the blockchain protocol’s compatibility with other blockchain networks and systems, ensuring that the protocol can interact with other systems in the ecosystem.
• Performance testing: Evaluate the blockchain protocol’s performance, including its scalability, gas consumption, and usability.
• Create a report: A detailed report with the audit findings of any vulnerabilities or issues identified, and recommendations for addressing them.
• Provide remediation support: Assist with addressing any issues or vulnerabilities identified during the audit, including guidance on how to remediate the issues.

Penetration Testing solution helps detect security vulnerabilities and weaknesses in applications, including exposure of sensitive data and unsafe communication between client-server. Besides, CyStack experts provided Whitebox Testing, which means open box penetration testing, to simulate an attack where an attacker gains access to a privileged account. This approach can complete open access to applications and systems, which is more comprehensive, faster, and less likely to miss a vulnerability.

However, 2 weeks is not enough for CyStack experts to ensure the accuracy of test results. With the advantage of owning the crowdsourced security WhiteHub platform, CyStack used existing power, opening a bug bounty program to increase the number of experts participating in testing, reducing the time spent reading code and reviewing vulnerabilities.

A bug bounty program is a type of crowdsourced security that incentivizes individuals or groups, known as “ethical hackers”, to identify and report security vulnerabilities in a company’s software or systems. Companies offer rewards, such as monetary compensation, swags, or recognition, to ethical hackers who can find and report these vulnerabilities.

The purpose of a bug bounty program is to identify and address security vulnerabilities in a timely and efficient manner, while also providing a safe and secure environment for ethical hackers to report vulnerabilities. It helps organizations improve their security posture and reduce the risk of cyber-attacks and data breaches. It also can be used to test the security of a wide range of systems and applications, including web applications, mobile apps, and IoT devices.

One of the places that regularly opens bug bounty programs is WhiteHub, the first and largest community security platform in Vietnam developed by the CyStack team. WhiteHub supports businesses in launching their bug bounty programs to efficiently find vulnerabilities, with the participation of more than 3000 security experts.

For more information, please visit: https://whitehub.net/

Through the bug bounty program, a total of 17 reports were awarded, including 16 Accepted and 1 Rejected (Out-of-scope). The total reward value reached 78.500 USD, of which the highest reward was 10.000 USD.

The total number of vulnerabilities detected: 2 critical, 11 medium and 1 low.

How we fixed:

• Remove dangerous functions
• Replace the use of unsafe functions in C
• Check size before allocating memory and using special functions in C
• Develop better error control mechanism to avoid program crashed
• Closely check user input data before using them
• Better control of pointer usage in C.

The bug bounty program is not just an opportunity to demonstrate our commitment to security to our customers; it’s a place where we honor the contributions of the whitehat hackers in today's digital age. To process the project smoothly and be on time as requested by customers, it is crucial to mention the great efforts of our internal team.

Business Development Team:

• Coordinate with the internal team to ensure customer timeline
• Promote the bug bounty program to attract experts.

Security Engineering Team:

• Resolve Buffer Overflow errors that can lead to DoS attacks, remote code execution, and other uncontrolled application behavior.
• Review the entire application source code to avoid other Buffer Over Flow error points.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With 200+ businesses and 20,000+ users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/

“We have encountered a few DoS attacks in the past, mostly targeted on our web proxies. The situation was quite complex and we had undergone a challenging process. Fortunately, everything has been handled smoothly.” – said the representative of Cellframe.

“We consider cybersecurity investment to be an important factor in our business development. Enterprises should pay more attention to security issues and take proactive measures to prevent unfortunate incidents.” – Mr. Dmitry Gerasimov, Founder/CEO Cellframe.

“Highly professional team with solid professional skills, comfortable customer support, and understanding of customer needs. We have had more positive experiences working with CyStack and can recommend them to those who want to improve their security.” – Mr. Dmitry Gerasimov, Founder/CEO Cellframe.