Round 9 - GMC Call for Grant Applications - Deadline is February 11

Grant Application - Halborn - Infrastructure Security Assessment

What is the work being proposed?

Halborn is seeking a grant to perform a comprehensive infrastructure audit for Rocketpool. We think this is particularly apropos considering the recent malicious actions against the official Rocketpool Twitter account.

Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as Uniswap, Matter Labs, Circle, Solana, Dapper Labs, Polygon, Animoca Brands, Sushi, and many more.

Purpose & Motivation

Of the top 50 hacks, 40% have occurred beyond the confines of smart contracts, with hackers identifying vulnerabilities in web apps, wallets, bridges, and other points of intrusion. Annual infrastructure auditing is a critical feature of comprehensive security and will allow Rocketpool to take a proactive stance in identifying and addressing potential vulnerabilities and preventing future intrusions.

Infrastructuring auditing, also known as pen testing, is a critical feature of a robust and comprehensive cybersecurity plan. While many DAOs and Web3 companies are (rightly) focused on smart contract auditing as a key pillar of their security, infrastructure auditing is just as important, particularly for large protocols.

Whereas smart contract auditing focuses on the contracts themselves, infrastructure auditing targets the various “non-smart contract” attack surfaces - web apps, mobile apps, bridges, cryptocurrency wallets, cloud infrastructure and more. Proactively identifying vulnerabilities in these areas allows Rocketpool to repair potential weaknesses before they can be exploited by malicious actors.

According to our research, off-chain attacks are a growing threat and a significant source of losses. A closer examination of the top 50 attacks by loss reveals that off-chain attacks accounted for a staggering 40% of the total losses. This percentage has been steadily increasing over time, reaching 61% of losses and 70% of all attacks by type (on-chain vs. off-chain) in 2023 alone.

Is there any related work this builds off of?

N/A

Will the results of this project be entirely open source (MIT, GPL, Apache, CC BY) license or similar)? If not, which parts will not be, why, and under what license will they be published?

Rocketpool has the option to make the final report public or private. If public, it will be published on our github.

Benefit

Group Benefits
Potential rETH holders This grant will help significantly increase the security for rETH holders by helping secure the platform/interfaces they use to interact with Rocketpool. This should draw incremental rETH holders into the ecosystem.
rETH holders This grant will significantly increase security for the platform/interfaces that rETH holders use. The increase in confidence should allow the amount of holders, and the average amount held per holder, to increase.
Potential NOs Robust security should have a positive effect on attracting new Node Operators
NOs Increased security across the Rocketpool ecosystem should increase the amount of stakers in the ecosystem, having a positive impact for existing Node Operators
Community Increased confidence in ecosystem security should allow more people to join the community, increasing participation and strengthening governance and decentralization.
RPL holders Increased security should drive incremental positive growth across the entire ecosystem. Higher confidence in the ecosystem should drive additional stakers, additional Node Operators, which kicks off a positive flywheel that should drive value to the RPL token and its holders.

Which other non-RPL protocols, DAOs, projects, or individuals, would stand to benefit from this grant?

Increased security, even for just one protocol, helps improve the reputation and decentralization of crypto overall, which helps a vast array of protocols, projects, and individuals. It disincentivizes malicious actors and helps improve security broadly across the entire ecosystem.

Work

Who is doing the work?

Halborn’s infrastructure security team.

What is the background of the person(s) doing the work? What experience do they have with such projects in the past?

Halborn has played a significant role in enhancing the off-chain security of various protocols. While many of the reports remain confidential, some of our critical finds include detecting unauthorized access to sensitive data in the project database; secret exposure of the database’s admin secret key; potential SQL injection vulnerabilities in other databases and misconfigurations on a Firebase database that could allow an attacker mostly free range on it.

Among our public reports, we would like to highlight:

  • The Aptos Wallet WebApp pentest.

    • We found a total of 6 critical vulnerabilities, including the possibility for an attacker to obtain the mnemonic passphrase from the clipboard storage; the ability of an attacker to execute malicious code using the exported wallet functions, triggering a Denial of Service on the extension and the Browser; race condition in the function used to sign messages as well as no confirmation required from the user and the possibility for an attacker who has compromised a user’s machine can exfiltrate and steal their mnemonic phrase as well as the password
  • HBarSuite WebApp and SmartNode FrontEnd and BackEnd pentest

    • In this case, Halborn engineers discovered two critical vulnerabilities, which allowed an attacker to perform a Denial Of Service to the smart nodes and a vulnerability that caused a user to not be able to claim back the liquidity or observe the liquidity added into the different pools of the protocol.

These are just a few select examples. A more comprehensive list of our past work can be found in our public report repository.

What is the breakdown of the proposed work, in terms of milestones and/or deadlines?

Halborn will conduct penetration testing of Rocketpool’s non-smart contract threat surfaces such as web apps, cloud, infrastructure, and more. Halborn will use an active hands-on approach using deep security inspection to identify vulnerabilities. The penetration test will simulate the activities and tactics typically performed by threat actors. During the test, Halborn will update Rocketpool with necessary details or findings.

Halborn will perform the infrastructure audit following these steps or phases:

  • Mapping Content and Functionality
  • Configuration and deployment
  • Identity Management flaws
  • Authentication/Authorization Flaws
  • Session handling
  • Business logic flaws
  • Rate Limitations tests
  • Brute Force Attempts
  • Input Handling
  • Fuzzing of all input parameters
  • Multiple Type of Injection (SQL/JSON/HTML/Command)
  • Client-side testing
  • Error handling
  • Weak Cryptography
  • Source Code Review

Timeline and scope differs based on each specific project, so a timeline will be established as part of the scoping process with GMC.

How is the work being tested? Is testing included in the schedule?

Most assessments are led by a full time Senior Engineer and supervised by a Technical Lead, and the VP of security is also involved during the QA process.

We develop test scenarios at the beginning of the audit and it’s an essential part of the QA process. We standardize our processes as much as we can and we follow a strict methodology for checking if every single attack vector was tested in order to minimize the chances of being attacked.

How will the work be maintained after delivery?

After testing, Halborn will create a report that provides details of all service areas covered, with risks, vulnerabilities, steps taken, and remediation recommendations.

Halborn will exercise due care in removing testing tools, payloads, and other files or artifacts used during the assessment after the completion of testing. Halborn will make every attempt to avoid business interruption during the course of the penetration test.

Costs

What is the acceptance criteria?

A final infrastructure assessment report.

What is the proposed payment schedule for the grant? How much USD $ and over what period of time is the applicant requesting?

Team will need to complete a scoping exercise in order to determine an accurate price, as projects are based on time, complexity, length of codebase, etc. We can get on a quick scoping call to make sure teams are aligned on what is in/out of scope.

Is the applicant requesting RPL or LUSD?

Preference for LUSD, but flexible.

How will the GMC verify that the work delivered matches the proposed cadence?

GMC will have an assigned account manager with regular check-ins and calls as needed to ensure the delivery matches the agreed-upon cadence.

What alternatives or options have been considered in order to save costs for the proposed project?

N/A

Conflict of Interest

Does the person or persons proposing the grant have any conflicts of interest to disclose? (Please disclose here if you are a member of the GMC or if any member of the GMC would benefit directly financially from the grant).

No

Will the recipient of the grant, or any protocol or project in which the recipient has a vested interest (other than Rocket Pool), benefit financially if the grant is successful?

The grant is for compensation to Halborn to complete the infrastructure security assessment.

Contact: [email protected]