Taycan Chain Security Audit Result and React

Taycan mainnet was reviewed for security through an audit specialist Slowmist and received a low-risk result, as shown in the audit report below.

Slowmist’s audit results point out the low-risk details as follows.

When using a contract for native token recharge, a malicious contract reversal can disrupt the transfer process. Still, an artificial recharge can occur if the transaction state is prosperous and no valid event judgment is performed.

Failed transactions are also bundled, and exchanges can experience “false charging” problems if the transaction status is not confirmed.

Weaknesses that may occur when making smart contracts, to prevent this problem, it is recommended to pay more attention when issuing tokens or contracts, in addition to judging whether the transaction is successful or not and whether the balance of the recharge wallet address is correctly increased. In addition, it is recommended that tokens or contracts created through the Taycan mainnet be reviewed for security through the audit.

Taycan is an EVM-compatible blockchain that can operate with RPC communication, RPC has a wallet function, and if the port is open for non-local access, an attacker can steal funds through the RPC port.

Taycan takes measures against the vulnerability of gold stealing through the RPC port by removing the wallet from the sentry node that RPC accesses by design, as shown in the figure above.

Most cryptocurrencies, such as Bitcoin and Ethereum, use a public key cryptographic system using elliptic curve cryptography using the secp256k1 standard, called ECDSA (Elliptic Curve Digital Signature Algorithm).

When signing a transaction in the Secp256k1 algorithm, the signature s,r value is used to obtain the transaction’s signature. The value of the reference point multiplied by a random number is called signature r, and the value obtained by subtracting the value obtained by serially sorting transaction information from the square of the random number and the product of the r value and the private key is removed and divided by n is called signature s. s and r are used in generating a signature when sending a coin and receiving and verifying the signature by the recipient. However, if a too high value of s is substituted, there is a risk of malleability in which the counterpart changes according to external conditions.

It is recommended not to use high values of s signatures when issuing transactions in Taycan.

At this time, receiving the hash does not mean that the transaction was successful, but users using the chain are always supposed to verify the result of the hash.

Therefore, we think a transaction replay attack is possible because an error message is not returned. Still, the same transaction is fundamentally blocked because the nonce value, the number of transaction occurrences, must be checked in the wallet when sending a transaction. With the option to verify that the transaction has been completed in the wallet we created and in the Metamask wallet (in the case of Ethereum, we check 5confirm), the issue is not a problem. This error is being defended at the wallet.

Related posts:

The power of silence is immeasurable. Silence is just the sound of your thoughts being spoken to you, in your voice. It’s not anything else, it’s just that. Silence has no power whatsoever on its…

Procrastination is a habit due to which procrastinator did not start work until the deadline arrives. how to kick the procrastination habit and eat a frog with a Pomodoro is a technique which helps…

Present Education system might be shocking to hear, but it is true that present education system is also responsible for Global Warming. Just because of different reptation of schools in most of the…