Vayana Weaves Success by Connecting a Network of 300.000+ Enterprises with Smart Contract Audit

With proactive security morale, Vayana has successfully built customers' trust, and maintained its position as one of the leading technology companies in the tech-stack metropolis India, thanks to Smart Contract Audit.

Vayana, inspired by the Sanskrit word for ‘weaving’, is the largest supply chain finance platform in India, providing trade support and trade credit solutions for all levels of the supply chain. Financing more than $14 billion each year, with more than 200,000 businesses across more than 1,000 supply chains, Vayana is the preferred partner in the supply chain finance industry.

Vayana connects businesses and their commercial ecosystems, providing easy access to digital credit, allowing banks and institutions to lend with reduced risk, lower costs, and no additional investment or process changes are needed for anyone. With its proprietary technology, Vayana has processed over 3 million transactions worldwide, spanning across 600 cities in India and expanding to 23 countries globally.

Vayana Debt Platform is a comprehensive blockchain-based lending operating system for digital currencies, token deposits, CBDC and Fiat. With VDP, Vayana aims to enable regulated or alternative lenders and other credit investors to lend to businesses on Blockchain, harnessing the power of smart contracts to digitize operations fully their lending activities.

With a deep awareness of the importance of customer data security, especially when the VDP application possessed many types of sensitive financial information of individuals and organizations, Vayana understood that conducting testing security was a necessary step for business development.

As VDP is a significant project that represents a new milestone in fostering business activities, Vayana has extensively searched and evaluated numerous entities both within and outside India to ensure the attainment of optimal outcomes through cooperation. Prior to making the final decision, Vayana diligently conducted research on critical aspects requisite for a security unit, including workflow, level of support, and the expertise and experience of their professionals.

Vayana meticulously assessed CyStack's workflow, encompassing their approach, testing procedures, as well as security risk evaluation, both during and after deployment. Of particular interest to Vayana was CyStack's proficiency and experience in the security domain, as it is crucial for the protection of the substantial volumes of sensitive data belonging to VDP customers.

Vayana proactively researched and proposed using the Smart Contract Audit in the form of White-box for VDP application.

White-box simulation involves simulating an attack scenario where a hacker obtains access to a privileged account. This approach enables CyStack's experts to directly access Vayana's entire existing application and system, facilitating a comprehensive and in-depth understanding of the system's structure and application source code. By employing this comprehensive approach, which combines static and dynamic analysis of each system component, it becomes challenging to overlook any security vulnerabilities during testing, while also saving seven times more time.

Test object: VDP Digital Assets Lending Platform smart contract. Vayana sent the source code for security assessment by experts.

Test scope:

• SLOC: 2700
• Programming language: Solidity

Implementation time: From November 2, 2023 - November 10, 2023

First, it is necessary to understand what a smart contract is. Smart contracts are self-executing digital contracts based on blockchain technology. They facilitate the automation of transactions and ensure adherence to the terms of an agreement.

While blockchain technology is inherently designed to prioritize safety, it is important to note that no system is entirely infallible. There are still certain security challenges associated with blockchain technology, including:

• Smart contract vulnerabilities: Smart contracts, which are self-executing contracts with the terms of the agreement written directly into code, can contain vulnerabilities that can be exploited by attackers. This is especially true if the code has not been thoroughly audited or if the contract has not been properly tested.
• 51% attack: In a 51% attack, a group of attackers gains control of more than 50% of the computational power of a blockchain network, allowing them to manipulate the network and potentially reverse or block legitimate transactions.
• Sybil attack: A Sybil attack is when a malicious actor creates multiple identities or nodes in a network to gain control of a significant portion of the network’s computational power.
• Double-spending: In a double-spending attack, an attacker can spend the same digital currency or token more than once by creating a copy of the digital asset.
• Privacy and data leakage: A privacy and data leakage attack is when an attacker accesses sensitive data stored on the blockchain, such as personal information or financial data.
• Side-Channel Attack: A side-channel attack is an attack that exploits some side information that is not part of the main communication channel, such as power consumption or electromagnetic radiation.

These are just a few examples of the security challenges that blockchain technology faces. The emergence and evolution of threats are inevitable, and security experts and developers are continuously working to identify and mitigate them. However, businesses must adopt a comprehensive approach to address these issues, starting with implementing initial security measures to protect their blockchain technology systems through Smart Contract Audit.

Smart Contract Audit involves a thorough evaluation of the source code of smart contracts to ensure their correct operation, security, and absence of internal vulnerabilities that could compromise shared data. This process typically includes a comprehensive analysis of the smart contract's design, implementation, and security mechanisms within the source code, as well as testing and analysis to identify potential issues.

By conducting a security assessment with a reputable third party, developers demonstrate their genuine concern for security issues and the reliability of smart contracts, thereby enhancing their credibility and reputation within the blockchain community. This can be crucial in attracting investors and partners. Moreover, Smart Contract Audit projects also help ensure that the source code meets and complies with relevant standards and regulatory requirements, if applicable.

During a smart contract audit, the following types of vulnerabilities are tested but not limited in:

• Reentrancy: This type of vulnerability occurs when a smart contract allows an attacker to repeatedly call it and extract its value multiple times.
• Unchecked call return value: This type of vulnerability occurs when a smart contract does not properly check the return value of a call to another contract, which can lead to the execution of malicious code.
• Unchecked user input: This type of vulnerability occurs when a smart contract does not properly validate user input, which can lead to the execution of malicious code or the manipulation of data.
• Unchecked math operations: This type of vulnerability occurs when a smart contract uses math operations that can overflow or underflow, leading to unintended results.
• Unchecked external calls: This type of vulnerability occurs when a smart contract calls an external contract without properly checking the return value, which can lead to the execution of malicious code or the manipulation of data.
• Integer overflow and underflow: This type of vulnerability occurs when a smart contract does not properly handle large numbers, which can lead to unintended results.
• Unsecured data storage: This type of vulnerability occurs when a smart contract stores sensitive data in an unsecured manner, which can lead to data breaches.
• Timestamp dependence: This type of vulnerability occurs when a smart contract is dependent on the timestamp provided by the blockchain network, which can be manipulated by an attacker.
• Unsecured randomness: This type of vulnerability occurs when a smart contract uses an insecure random number generator, which can be predicted by an attacker.
• Access control: This type of vulnerability occurs when a smart contract does not properly implement access control, which can allow unauthorized parties to access or manipulate data.

CyStack can audit smart contracts on numerous blockchain networks or chains, such as:

• Ethereum: The most popular blockchain network that supports smart contracts written in Solidity or Vyper, which is a Python-like programming language.
• BNB Smart Chain (BSC), previously Binance Smart Chain: A blockchain network that runs in parallel to the BNB Beacon Chain and supports smart contracts written in Solidity.
• TRON: An open-source public Ethereum-compatible blockchain platform that supports Solidity smart contracts.
• Polygon, formerly Matic Network: A sidechain scaling solution that runs alongside the Ethereum blockchain with smart contracts written in Solidity or Vyper.
• Avalanche: An open-source platform that features 3 built-in blockchains, one of which is Contract Chain (C-Chain), for launching decentralized applications (dApps) and enterprise blockchain deployments. It is EVM-compatible, and hence supports smart contracts written in Solidity.
• Solana: An efficient and speed-first blockchain network that is constructed with programs (smart contracts), written in Rust or C/C++.
• NEAR: A high-performance blockchain network that supports smart contracts written in JavaScript, Rust or AssemblyScript.
• EOSIO: A blockchain network that supports smart contracts written in C++.
• NEO: The most developer-friendly blockchain that supports smart contracts written in various programming languages, including C#, Python, Go, Java and TypeScript.
• Algorand: A blockchain platform that supports smart contracts written in multiple programming languages, including Python and a JavaScript-like language called Reach.
• Aptos: A Layer 1 blockchain with resource objects and Move programming language for smart contracts.
• Sui: The first permissionless Layer 1 blockchain that is written in Rust and supports smart contracts written in the Move programming language.

We also support auditing dApps and enterprise blockchains that are created and deployed with the following platforms:

• Cosmos: The key Layer 0 blockchain connects different blockchains into a meta-blockchain system called interchain. Cosmos provides an SDK for building dApps and Layer 1 chains in Go.
• Polkadot: The first fully-sharded blockchain consists of a main chain called the Relay Chain and shards called parachains. With Parachain Development Kit (PDK), developers can build parachains written in Rust.
• Quorum: An open-source, permissioned blockchain protocol based on Ethereum that allows developers to deploy networks with contracts written in Solidity or Vyper.
• Hyperledger: An open-source collaborative effort created to advance cross-industry blockchain technologies, which provides various distributed ledger frameworks, supporting different programming languages, including Go, Python, Rust, Java, JavaScript, C++, C#, Objective-C and Swift.
• Corda: A peer-to-peer (P2P) distributed ledger technology (DLT) platform that is primarily used by businesses in finance-related industries to build dApps and blockchains written in Kotlin or Java.
• Hedera Hashgraph: A open-source public distributed ledger based on the Hashgraph algorithm, which is an alternative to blockchain. It provides SDKs supporting multiple programming languages, such as Java, JavaScript/TypeScript, Go, Rust, C++ and Swift.

• Preparation: This includes setting the scope of the audit, identifying the stakeholders, and gathering all relevant documentation, such as the whitepaper, smart contract code, and design documents.
• Threat modelling: This step involves identifying potential threats and vulnerabilities that may affect the smart contract. This includes analyzing the smart contract’s functionality, data flow, and external interactions to identify any potential attack vectors.
• Code review: This step involves reviewing the smart contract code to identify any bugs, errors, or vulnerabilities. This can be done manually by an experienced developer or by using automated tools to help identify potential issues. CyStack also uses SafeChain, an automated blockchain vulnerability scanner built by our team, for this stage.
• Test execution: This step involves executing the smart contract on a test network and performing various types of testing, such as unit testing, functional testing, and security testing.
• Reporting: This step involves documenting the findings of the audit and providing a report that includes an overview of the audit, a list of identified issues, and recommendations for remediation.
• Remediation: This step involves implementing any recommended changes to the smart contract code to fix identified issues and vulnerabilities.
• Retesting: This step involves re-executing the smart contract on the test network to ensure that the identified issues have been resolved and that the smart contract is now secure.

After performing Smart Contract Audit, we recorded a total of 4 vulnerabilities in the VDP application, including 1 medium, 1 low and 2 info.

How we fixed:

Potential Denial of Service by block gas limit

• Severity: medium
• Description: Every transaction in Ethereum requires 21000 gas on top of the computations made in the contract. An Ethereum block has a maximum limit of 30 million gas. Exceeding this limit will cause the transaction to be reverted. If not properly managed, this can render certain functions of the contract inoperable. Either the array grows over time, or a malicious actor can accumulate a large number of loans and facilitate a DoS attack
• Remediation: Either impose a limit on array size, or avoid having large arrays that grow over time and looping across the entire data structure. If the above is not feasible, plan for operations over such arrays to spread over multiple blocks, and therefore require multiple transactions.

Missing zero address validation

• Severity: low
• Description: The function changeFactory is lack of zero address check for newFactory, which may cause unexpected results.
• Remediation: Add check of zero address before using newFactory in any operation.

Floating pragma

• Severity: info
• Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
• Remediation: Use a fixed pragma version, as future compiler versions may handle certain language constructions in a way the developer did not foresee. Using a floating pragma may introduce several vulnerabilities if compiled with an older version.

Boolean equality

• Severity: info
• Description: Boolean constants can be used directly in conditionals like if and else statements. In several contracts, some conditionals are set with comparisons between a boolean constant and the value true (or false).
• Remediation: Use boolean constants directly.

After retesting the new codebase for Vayana smart contracts, CyStack confirmed that all discovered issues have been resolved. No new issues were found for additional functionalities in smart contracts. Overall, the smart contracts have been tested and include best practices for smart contract development, and have passed CyStack's security assessment.

Thanks to its proactive approach to testing, Vayana has been able to reaffirm its commitment to supporting organizations and users in addressing security threats.

CyStack conducted a comprehensive security testing and assessment process to identify and remediate any discovered security vulnerabilities. The team of experts at CyStack worked diligently and with great dedication to ensure that no weaknesses remained in the VDP application.

Vayana is highly satisfied with the services provided by CyStack, both in terms of technical stages and customer care. With a deep understanding of CyStack's workflow, level of support, and ability to meet requirements, Vayana has a strong foundation for making the decision to establish a long-term collaboration with CyStack. Vayana believes that the cooperative relationship between the two parties will continue to evolve and lead to success in future security plans.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 20,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/