...
Component | Vulnerability | Description | Implications for FIO | Next steps / Status | |||
---|---|---|---|---|---|---|---|
fio.erc20 fio.erc721 | Re-entrancyGeneral solidity vulnerabilities | The following site lists several solidity hacks/vulnerabilities that should be reviewed and considered. | Recommend erc20 and erc721 contract be audited for securit | FIO had our Solidity hacks could result in minting of WFIO without wrapping. |
The critical issues from the |
Create a table that includes:
Security issue
Description of the issue
Implications of the security issue for FIO users
Mitigation strategies for the security issue
Identify those areas where there is a gap in existing knowledge or technologies.
Discuss/identify external resources that can fill these gaps.
Consider adding an anomaly detection system:
https://www.eosgo.io/news/vaultsx-hack-lessnos-learned-and-thoughts
“It is likely that if more than 30% of the funds are withdrawn from the contract in a short period of time, then the chances are high that this is the result of a hacker attack.
Automatic anomaly detection systems cannot stop an attack, but they can mitigate damage. Such systems are an algorithm for detecting behavior that is not typical of a contract under normal circumstances. I highly recommend that developers of high-end contracts implement the simplest anomaly detection systems.”
We have a FIO token Wrapping project under development and will need to audit three areas:
The FIO Chain fio.orcle contract
The Ethereum Chain fio.erc20 contract
The Nodejs Oracle code that monitors both chains and executes wrap and unwrap transactions.
This story tracks the security audit of the "oracle" JS code that sits between the FIO and the Ethereum chains and monitors them for wrap/unwrap activity and then transfers FIO tokens on the FIO chain to WFIO tokens on Ethereum (and vice versa).
...
| ||||||||||||||||||||
fio.oracle | Compromised keys | Outside of the general risks to the erc20 and erc721 contracts, the main risk for Oracles is that their signing keys somehow compromised and can be used to send approvals to the FIO and Solidity contracts. The fio.oracle javascript code has not been audited. This code should only be run in a protected environment on Oracle servers. The keys are held in environment variables that, if compromised, would allow a hacker to approve illegitimate transactions | Could result in unauthorized minting and wrapping. |
| ||||||||||||||||