FYEO completes a comprehensive security assessment of the XRPL Labs Hooks Amendment
And continues to provide security services for XRPL Labs & the community!
In April of this year, we announced that we began our security assessment of the Hooks Amendment. FYEO is excited to announce the audit for the XRPL Labs Hooks Amendment has now been completed.
FYEO is also thrilled to see a project like XRPL Labs embrace holistic security by not just stopping at the audit. XRPL Labs is also monitoring all domains & employees associated with the project using FYEO Domain Intelligence to ensure that no attack vector is left unguarded. FYEO has already identified over 90 similar domains to the XRPL Labs suite of products and works daily with the security team at XRPL Labs to ensure none of these turn into phishing sites. This level of diligence by XRPL Labs is admirable, and we hope more projects will follow suit and embrace holistic & dynamic security. (Help projects like XRPL Labs stay ahead of the bad guys. Use FYEO Agent! Anyone can protect themselves from phishing sites with FYEO’s free Chrome extension, Agent.)
What is the Hooks Amendment?
The Hooks Amendment refers to a proposed feature on the XRP Ledger to enable smart contract functionality. Hooks are lightweight, efficient, and purpose-built smart contracts designed to expand the capabilities of the XRP Ledger.
The Hooks Amendment aims to add support for native, on-ledger smart contracts that can perform specific functions based on predefined conditions. Unlike Ethereum, which uses a Turing-complete programming language (Solidity) for its smart contracts, Hooks are designed to be more straightforward and efficient while allowing for more real-life utility-supporting use cases.
One of the primary motivations behind Hooks is to maintain the XRPL's efficiency and scalability while introducing smart contract capabilities. The idea is to provide developers with essential tools for building on ledger logic, influencing the flow of transactions, and being able to spin off newly crafted transactions on the XRP Ledger without overburdening the network with complex and resource-intensive smart contracts. This will make any future mission-critical projects built on XRPL much more efficient and secure. Hooks can be triggered on outgoing or incoming transactions, allowing to build various dApps, including DeFi. DeFi is one of the central use-cases FYEO is looking at when auditing the Hooks Amendment and this enables FYEO to leverage their blockchain agnostic process they have used on hundreds of projects on all major Layer 1 blockchains.
The FYEO Process
When FYEO performs an assessment, we focus on the code committed at a specific time when the code base is feature complete.
Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
For this review, we started with a review of the usage of WASM, checked the hooks helper functions, and how hooks are set and executed. The hooks, as well as, underlying C/C++ work together which is why our process starts on the foundation and works its way through the code base to ensure not only are the contracts out together right but that the foundation they are built on is sound. Final report is attached.