Quantstamp_RT-Monitor_Progress Report_Q3 2021

Completed
1

Quantstamp_RT-Monitor_Progress Report_Q3 2021

Summary

Quantstamp provided a Real-Time Security Monitoring Solution (RT-Monitor) to detect any abnormal transactions for the Klaytn blockchain. We customized the different types of analyses based on the needs of Klaytn and on the advice of its team. We were able to build a novel and new way to analyze Klaytn tokens and smart contracts.

RT-Monitor monitors for overflow issues (that may occur due to malicious minting or the batch-overflow bug), mint/burn events, and contract owner changes. As the RT-Monitor has been in production for Klaytn since December 2020, Klaytn has enhanced security monitoring abilities. Klaytn ecosystem and users benefit from our experience as researchers, software engineers, and security auditors. Quantstamp has observed the best processes and models for real-time monitoring solutions and other security measures, these methods have been implemented into the Klaytn real-time security monitoring solution.

This progress report summarizes the major maintenance and support activities during the third quarter of 2021.

Project Milestones and Schedule

Continued maintenance of the Real-Time Security Monitoring Solution.

Key Deliverables

Status Update

Monitored Tokens: 21

ABL, att, BFCK, BPT, CLBK, COSM, DTA, ISR, KSP, KDAI, MNR, KETH, KORC, KUSDT, KWBTC, PXL, WIKEN, SSX, TEMCO, KUSD, SKLAY

Maintenance & Supports:

  • Checks have failed for some contracts as below:

Klaytn Monitoring - Chrome 2021-10-12 오전 9_14_29
Klaytn Monitoring - Chrome 2021-10-12 오전 9_14_291666×678 65.7 KB

[SKLAY] Previously Klaytn team responded that “SKLAY is minted by staking KLAY on https://klaystation.io/, so its behavior of supply changes is normal.”

[BPT] In Q1 The Quantstamp team looked further into the BPT token here: Klaytnscope. We are not entirely sure what the token is intended for, but there’s a very strange function which allows any user to mint any number of tokens. If you check out the contract source at the above link, on L592 we have:

  • Function

  • addTotalSupply(uint256 _value)

  • public {

  • _balances[msg.sender] =

  • _balances[msg.sender].add(_value);

  • _totalSupply = _totalSupply.add(_value);

  • }

  • For example, any user could invoke the function right now and add 10^255 tokens to their balance. This is likely a critical issue with the code.

⇒ In Q1 2021, the Klaytn team informed Quantstamp that the team will report this issue to the BlockPet project. But the same issue still continues. We recommend the project team to pay attention to this issue and fix it sooner than later.

[KSP, PXL] In Q2 2001, we noticed that ‘Checking failures’ had occurred with KSP and PXL, and recommended the Klaytn team to investigate the failures. It seems the problems have been fixed and we see that they don’t occur anymore.

Budget

  • Q3 2021 Licensing Fee: 30,000 USD