About the Flare Data Availability audit
The Data Availability service is a Django application for handling and validating attestations and feed data tied to the Flare blockchain, focusing on cryptographic validation using Merkle trees. The service interfaces with external data sources through API clients, fetches data related to specific voting rounds, and uses Merkle tree structures to ensure the data’s integrity before persisting it in a relational database. The main logic revolves around the AttestationResult and FeedResult models, which store data about blockchain voting rounds, feeds, and associated attestation results. Each record in these models
represents a verified attestation, containing fields like voting_round_id, cryptographic proofs, and serialized data about voting results. The AttestationResult model supports cryptographic verification by calculating and storing keccak hashes of each attestation, making it possible to verify data authenticity through Merkle proofs. The FeedResult model manages feeds associated with voting rounds, including voting outcomes, turnout, and other metadata. For every feed, the model computes its hash based on Ethereum’s ABI encoding scheme.
The service’s API layer exposes data endpoints via Django REST Framework viewsets, allowing clients to retrieve attestation and feed results through GET and POST endpoints. Users can request feeds by voting round or obtain Merkle proofs for specified feeds. Each view validates incoming requests, which enforces schema integrity for requests and responses.
The Merkle tree structure is critical for data integrity. When processing attestations or feed data, the service organizes relevant records into a Merkle tree and compares its root hash with known values from external data sources or previous rounds. This comparison ensures that the data stored and served remains consistent with the data on-chain. If mismatches occur, such as differences in Merkle root hashes, the service raises errors to indicate potential data corruption.
Overall, this Django service provides a robust backend for blockchain data attestation, verifying data integrity with Merkle tree structures and offering an API layer for efficient access and integration into broader decentralized systems. It was noted however, that the service seems to have been rushed to the finish line. Error handling as well as logging, testing and overall documentation are lacking and more effort invested in these would greatly contribute to a more maintainable and secure codebase.
The FYEO Process
When FYEO performs an assessment, we focus on the code committed at a specific time when the code base is feature complete.
Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
Findings and Report
During the Security Code Review of Flare Data Availability, we discovered:
2 findings with MEDIUM severity rating.
3 findings with LOW severity rating.
1 finding with INFORMATIONAL severity rating.
During both audits, the Flare team was quick to address and remediate all findings. You can find a public version of the reports available below.
Σχόλια