{"id":271,"date":"2022-07-22T12:00:42","date_gmt":"2022-07-22T10:00:42","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=271"},"modified":"2025-02-19T14:02:21","modified_gmt":"2025-02-19T12:02:21","slug":"neon-labs-spl-governance-contract-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/neon-labs-spl-governance-contract-audit-summary\/","title":{"rendered":"Neon Labs: SPL Governance Audit Summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\"><a href=\"https:\/\/www.hel.io\/\">Neon Labs<\/a> engaged <a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a>\u00a0to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> their <\/span>SPL Governance contract between <strong>June 27 and July 22, 2022<\/strong>. The entire audit process was conducted with a total time commitment of<strong> 26 <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/engineering-days\/\">engineering days<\/a><\/strong>. We now publish a summary of our results.<!--more--><\/p>\n<h4><b>Methodology<\/b><\/h4>\n<div class=\"page\" title=\"Page 7\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p>The beginning of the audit was dedicated to understanding the SPL Governance program.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p><span style=\"font-weight: 400;\">Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project&#8217;s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When the code review is complete, we run client&#8217;s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework <\/span><a href=\"https:\/\/github.com\/Ackee-Blockchain\/trdelnik\"><span style=\"font-weight: 400;\">Trdelnik<\/span><\/a><span style=\"font-weight: 400;\">. We also deploy programs locally and try to attack and break the system.\u00a0<\/span><\/p>\n<h4><b>Scope\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We audited commit <\/span><em>f13d7e7c1507819306797688ce0bb1f6950a5038 <\/em><span style=\"font-weight: 400;\">of the <a href=\"https:\/\/github.com\/neonlabsorg\/neon-spl-governance\">neonlabsorg\/neon-spl-governance<\/a><\/span> repository, specifically <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solana-program\/\">programs<\/a>: <em>maintanance\/program, addin-fixed-weights\/program, addin- vesting\/program, governance-lib<\/em>.<\/p>\n<p><span style=\"font-weight: 400;\">During the security review<\/span><span style=\"font-weight: 400;\">, we paid particular attention to the following questions:<\/span><\/p>\n<ul>\n<li>Is the correctness of the custom addins ensured (does it correctly implement spl-governance contract specification)?<\/li>\n<li>Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?<\/li>\n<li>Is the code vulnerable to voting manipulation?<\/li>\n<\/ul>\n<h4><b>Findings<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\">findings<\/a>.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>C1:<\/strong> Possibility to manipulate a voting process while using the fixed-weights addin<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>C2:<\/strong> When using the addin-vesting (for realm), the first user will be able to decide on any proposal after his deposit<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M1:<\/strong> Possibility to decide on a proposal without a sufficient voting weight<\/p>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M2:<\/strong> Possibility of a DoS attack that prevents the creation of a valid maintenance record<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5><b>Low severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>L1:<\/strong> Using <span style=\"color: #0000ff;\">find_program_address<\/span> instead of <span style=\"color: #0000ff;\">create_program_address <\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No warning severity issues were found.<\/span><\/p>\n<h5><b>Informational severity\u00a0<\/b><\/h5>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I1:<\/strong> Unused account<\/p>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I2:<\/strong> Misleading docs<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"page\" title=\"Page 14\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>I3:<\/strong> Hanging accounts<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h4><b>Conclusion<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <strong>8 findings<\/strong> ranging from <\/span><i><span style=\"font-weight: 400;\">Informational<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Critical<\/span><\/i><span style=\"font-weight: 400;\"> severity. <\/span><\/p>\n<p>The most severe one (C1) would allow the attacker to increase the weight of their vote to such an extent that they could practically decide on any proposal themselves. It was immediately reported to the client.<\/p>\n<div class=\"page\" title=\"Page 9\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>We recommended Neon Labs to:<\/strong><\/p>\n<ul>\n<li>address all reported issues;<\/li>\n<li>monitor the SPL governance program and apply major changes in the future, as the program is still in active development.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<p><b>Update:<\/b> On <strong>September 5<\/strong><b>, 2022<\/b>, Neon Labs provided an updated codebase that addresses the reported issues. All of the findings were acknowledged and some of them fixed (C1, M2, I1, I2, partially I3). A detailed discussion of the exact status of each issue can be found in Appendix A of the report.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: left;\"><b>Ackee Blockchain&#8217;s full <em>SPL Governance contract<\/em>\u00a0audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/neonlabsorg\/neon-spl-governance\/blob\/main\/audit\/20220906-AckeeBlockchain.pdf\"><strong>here<\/strong><\/a><b>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Neon Labs<\/b><span style=\"font-weight: 400;\">\u00a0and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Neon Labs engaged Ackee Blockchain\u00a0to review and audit their SPL Governance contract between June 27 and July 22, 2022. The entire audit process was conducted with a total time commitment of 26 engineering days. We now publish a summary of our results.<\/p>\n","protected":false},"author":11,"featured_media":370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5],"tags":[21,27,26,52,64,6,19],"class_list":["post-271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","tag-audit","tag-blockchain","tag-cryptocurrency","tag-findings","tag-security","tag-solana","tag-solana-security"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/09\/Neon-Cover-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/09\/Neon-Cover-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=271"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/271\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/370"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}