{"id":248,"date":"2022-05-20T12:00:06","date_gmt":"2022-05-20T10:00:06","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=248"},"modified":"2025-02-19T14:26:58","modified_gmt":"2025-02-19T12:26:58","slug":"helio-protocol-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/helio-protocol-audit-summary\/","title":{"rendered":"Helio Protocol Audit Summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\"><a href=\"https:\/\/www.hel.io\/\">Helio<\/a> engaged <a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a>\u00a0to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> their protocol between <strong>May 16 and 20, 2022<\/strong>. The entire audit process was conducted with a total time commitment of<strong> 5 engineering days<\/strong>.<\/span><span style=\"font-weight: 400;\"> We now publish a summary of our results.\u00a0<\/span><!--more--><\/p>\n<h4><b>Methodology<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">First, we took the time to understand the entire Helio platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project&#8217;s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When the code review is complete, we run client&#8217;s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework <\/span><a href=\"https:\/\/github.com\/Ackee-Blockchain\/trdelnik\"><span style=\"font-weight: 400;\">Trdelnik<\/span><\/a><span style=\"font-weight: 400;\">. We also deploy programs locally and try to attack and break the system.\u00a0<\/span><\/p>\n<h4><b>Scope\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We audited commit <\/span><i><span style=\"font-weight: 400;\"><code class=\"codehl\">8a6b1a20551cde8cff68d55e43baa5524692e82c<\/code> <\/span><\/i><span style=\"font-weight: 400;\"> of the <code class=\"codehl\">heliofi\/helio-protocol<\/code><\/span><span style=\"font-weight: 400;\">\u00a0repository.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the security review of the <\/span><i><span style=\"font-weight: 400;\">helio-protocol<\/span><\/i><span style=\"font-weight: 400;\"> <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solana-program\/\">program<\/a>, we paid particular attention to the following questions:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\">Is the correctness of the program ensured (does it correctly implement the project goals)?<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Is the code vulnerable to economic attacks?<\/span><\/li>\n<\/ul>\n<h4><b>Findings<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\">findings<\/a>.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><b>C1:<\/b> <i><span style=\"font-weight: 400;\">withdraw_payment <\/span><\/i><span style=\"font-weight: 400;\">and <\/span><i><span style=\"font-weight: 400;\">cancel_payment <\/span><\/i><span style=\"font-weight: 400;\">instructions will not work after the pay stream ends\u00a0<\/span><\/p>\n<p><b>C2:<\/b><span style=\"font-weight: 400;\"> Possibility of stealing tokens from escrow token account\u00a0<\/span><\/p>\n<p><b>C3:<\/b><span style=\"font-weight: 400;\"> Possibility of stuck tokens\u00a0<\/span><\/p>\n<p><b>C4:<\/b><span style=\"font-weight: 400;\"> Using the same struct for SOL payments as for token payments results in the possibility of a tokens lock attack\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1:<\/b><span style=\"font-weight: 400;\"> Hanging <\/span><i><span style=\"font-weight: 400;\">payment_token_account<\/span><\/i><span style=\"font-weight: 400;\">(s)\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><b>L1:<\/b><span style=\"font-weight: 400;\"> Using <\/span><i><span style=\"font-weight: 400;\">find_program_address <\/span><\/i><span style=\"font-weight: 400;\">instead of <\/span><i><span style=\"font-weight: 400;\">create_program_address<\/span><\/i><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No warning severity issues were found.<\/span><\/p>\n<h5><b>Informational severity\u00a0<\/b><\/h5>\n<p><b>I1:<\/b> <i><span style=\"font-weight: 400;\">PaymentAccount<\/span><\/i><span style=\"font-weight: 400;\"> struct has unused fields\u00a0<\/span><\/p>\n<p><b>I2:<\/b><span style=\"font-weight: 400;\"> Unnecessary mutable modifier\u00a0<\/span><\/p>\n<h4><b>Conclusion<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <strong>8 findings<\/strong> ranging from <\/span><i><span style=\"font-weight: 400;\">Informational<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Critical<\/span><\/i><span style=\"font-weight: 400;\"> severity. Four of these issues were critical, causing either the lockup of assets or the possibility of stealing them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The issues C1 and C2 were reported to Helio immediately upon discovery in the separate revision of this document (pre-audit version 0.1), even though the Helio protocol was not yet live.<\/span><\/p>\n<p><b>We recommended Helio<\/b><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to address all reported issues;<\/span><\/li>\n<li><span style=\"font-weight: 400;\">another full audit once the issues are fixed (the reason is that we devoted a lot of time on exploits due to many critical issues);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">to follow Rust and Solana\u2019s best practices.<\/span><\/li>\n<\/ul>\n<p><b>Update: <\/b><span style=\"font-weight: 400;\">On <\/span><b>July 22, 2022<\/b>,<span style=\"font-weight: 400;\"> Helio provided an updated codebase that <\/span><span style=\"font-weight: 400;\">acknowledged and fixed all<\/span><span style=\"font-weight: 400;\"> reported issues. During the fix review process, we found three additional informational issues.<\/span><\/p>\n<p><b>I3:<\/b><span style=\"font-weight: 400;\"> Anchor version mismatch<\/span><\/p>\n<p><b>I4: <\/b><span style=\"font-weight: 400;\">Impossible to build and test with a newer anchor version<\/span><\/p>\n<p><b>I5: <\/b><span style=\"font-weight: 400;\">A missing <\/span><i><span style=\"font-weight: 400;\">CHECK<\/span><\/i><span style=\"font-weight: 400;\"> doc comment<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All of them have been reported to the Helio team.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain&#8217;s full <em>Helio protocol<\/em> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/docs.hel.io\/security\"><strong>here<\/strong><\/a><b>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Helio<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Helio engaged Ackee Blockchain\u00a0to review and audit their protocol between May 16 and 20, 2022. The entire audit process was conducted with a total time commitment of 5 engineering days. We now publish a summary of our results.\u00a0<\/p>\n","protected":false},"author":11,"featured_media":275,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5],"tags":[21,27,64,6],"class_list":["post-248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","tag-audit","tag-blockchain","tag-security","tag-solana"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-helio@2x-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-helio@2x-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/275"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}