Quantstamp_RT-Monitor _Progress Report_Q1 2021
Summary
Quantstamp provided a Real-Time Security Monitoring Solution (RT-Monitor) to detect any abnormal transactions for the Klaytn blockchain. We customized the different types of analyses based on the needs of Klaytn and on the advice of its team. We were able to build a novel and new way to analyze Klaytn tokens and smart contracts.
RT-Monitor monitors for overflow issues (that may occur due to malicious minting or the batch-overflow bug), mint/burn events, and contract owner changes. As the RT-Monitor has been in production for Klaytn since December 2020, Klaytn has enhanced security monitoring abilities. Klaytn ecosystem and users benefit from our experience as researchers, software engineers, and security auditors. Quantstamp has observed the best processes and models for real-time monitoring solutions and other security measures, these methods have been implemented into the Klaytn real-time security monitoring solution.
This progress report summarizes the major maintenance and support activities during the first quarter of 2021.
Project Milestones and Schedule
N/A
Key Deliverables
Status Update
Monitored Tokens: 21
ABL, att, BFCK, BPT, CLBK, COSM, DTA, ISR, KSP, KDAI, MNR, KETH, KORC, KUSDT, KWBTC, PXL, WIKEN, SSX, TEMCO, KUSD, SKLAY
Maintenance & Supports:
-
The dashboard Klaytn Monitoring responded slowly. [Resolved] The Quanstamp team investigated to find that the issue was caused due to the massive amount of alerts loading at the top of the page. We fixed the issue by limiting the amount loaded on the front-end. As the alerts are sorted chronologically, we configured the page to load only N alerts, and populate new ones only when old ones get dismissed.
-
There was feedback that the performance of the website and the mobile website was slow.
[Resolved] It was because an older cached version was being used. We informed Klaytn team to hard refresh and clear the cache. Hard refresh is holding the control/command key and clicking refresh.
- The monitoring system seemed not to be checking recent blocks and it also showed failures on checking some contracts.
[Resolved] It was because the API limit on our KAS account was changed from 100K to 10K. We fixed the issue by purchasing the ‘Starter’ plan of KAS for one-year to set the limit 100K per day.
-
Quantstamp has changed the logos to token’s own logo. It is designed that any selected one is highlighted and the rest are greyed out.
-
Checks have failed for some contracts
[Resolved] Quantstamp team analysis: “These appear to be related to supply changes as noted in the event history table on the right side of the page, however, there is unlikely to be an issue with the monitored contracts. Since the monitoring service cannot distinguish between honest and malicious mints/burns, our service takes the safe approach of reporting all supply changes. For these types of contracts where mints/burns are expected and frequent behavior (such as KETH), we can disable the supply detector if the Klaytn team prefers. This will eliminate most of the false positives."
Klaytn team response: “Tokens like KDAI, KETH, KORC, KUSDT, and KWBTC are wrapped versions of DAI, ETH, ORC, USDT, and WBTC (i.e., they are minted on Klaytn when Ethereum’s tokens are transferred to Klaytn), so they are minted and burned frequently by transferring them between Klaytn and Ethereum. And, SKLAY is minted by staking KLAY on https://klaystation.io/, so its behavior of supply changes is normal.
Thus, I suggest to disable the supply detector for KDAI, KETH, KORC, KUSDT, and KWBTC."
Following the Klaytn team’s guidance, Quatnstamp disabled the supply detector for the above-requested contracts.
- Checking failures for BPT
[Analysis reported] The Quantstamp team looked further into the BPT token here: Klaytnscope. We are not entirely sure what the token is intended for, but there’s a very strange function which allows any user to mint any number of tokens. If you check out the contract source at the above link, on L592 we have:
-
Function
-
addTotalSupply(uint256 _value)
-
public {
-
_balances[msg.sender] =
-
_balances[msg.sender].add(_value);
-
_totalSupply = _totalSupply.add(_value);
-
}
-
For example, any user could invoke the function right now and add 10^255 tokens to their balance. This is likely a critical issue with the code.
⇒ The Klaytn team informed Quantstamp that the team will report this issue to the BlockPet project.
Budget
- Q1 2021 Licensing Fee: 30,000 USD