Update June 25, 2024 - Upgrade to Avalanche version 1.9.0 and Coreth v0.11.0.
New Security Issues: 0
After the development team implemented the latest updates, FYEO conducted a review of the modifications. The primary goal of this evaluation was to ensure the continued robustness of the network's security features, safeguarding the network's integrity and maintaining the overall robustness of the codebase.
The Flare project has undergone several changes to upgrade it to Avalanche version 1.9.0 and Coreth v0.11.0. The network configuration settings, and configurations for Songbird, Flare and their test networks have been updated. An application prefix has been set specifically for Songbird ("flare") and Flare ("avalanche") using the InitApplicationPrefix function. In the vms/platformvm/reward/calculator.go, the reward calculation function was simplified to always return zero - this is because these are instead handled in smart contracts. Changes were also made indicating that Flare / Songbird do not allow the creation of subnets or adding permissionless validator transactions. For validators, the DefaultValidatorList and defaultValidatorSet were added, along with proper tests. These validators have a limited validity.
Core Ethereum adjustments included updates to block rate and gas limit settings and setting the NativeAssetCallDeprecationTime to September 16, 2022. Improvements were made in handling attestation votes to ensure error management and correct plurality assignment, including logic for handling discrepancies in attestation decisions and potential node forking. In the state transition, Flare and Songbird specific handling was added in core/state_transition.go, with adjustments based on chain ID and timestamp, and checks for prioritized contract calls. Finally, local Flare chain configuration and Songbird local network configurations were defined.
To address concerns with inter-chain fund transfers, the gas limit for the Songbird chain was reduced to 8 million to align with Avalanche defaults and prevent potential issues. These changes were implemented with commit hash 7a3db361a9933d33244bd09a666e708fdee6cf91.
These changes collectively advance the code base by integrating updates from a more recent version of Avalanche.
About the Flare Songbird Secure Code Assessment
The primary goal of this evaluation was to ensure the continued robustness of the network's security features, safeguarding the network's integrity and maintaining the overall robustness of the codebase. The reviewed update brings several enhancements to the Flare codebase, with the primary objective of integrating Songbird and Coston (its test network). These changes encompass the integration of genesis data, staking weights, block times, validators, fork dates, and gas limits, among others.
After a thorough review, FYEO concluded that the security aspects of the Flare network remain robust and unaffected by the recent updates. Users can confidently interact with the network, assured that their assets are well-protected. The commitment to security exhibited by the development team is commendable, and we appreciate the ongoing efforts to prioritize the safeguarding of network users.
The FYEO Process
When FYEO performs an assessment, we focus on the code committed at a specific time when the code base is feature complete.
Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
Findings and Report - Flare Songbird
During the security assessment, we uncovered:
1 finding with an INFORMATIONAL severity rating.
Upgrade to Avalanche version 1.9.0 and Coreth v0.11.0
During the security assessment, we uncovered:
0 new security issues
Once notified, the Flare team was quick to address and remediate these findings. You can find a public version of the report available below.
Comments