Breakpoint 2023: Back to The Future: What Bugs You Can Expect in Your Project

Summary

At Breakpoint 2023, Piotr Cielas, the Director of Security at Halborne, offered a comprehensive look at common vulnerabilities that appear in projects across various industries. He explained the universality of certain bugs irrespective of the particular market or industry and emphasized the importance of probability when predicting the future occurrence of these issues. Focusing on blockchain technology, he critiqued current security metrics for their lack of sophistication and offered Halborne's more nuanced approach, which adapts the Common Vulnerability Scoring System. He elaborated on the necessity to understand the nature of bugs, their likelihood, and potential impact, breaking down some Solana-specific examples of what could go wrong and how to prevent such occurrences.

Key Points:

The Prevalence of Reoccurring Bugs

Piotr Cielas shed light on how bugs tend to reoccur across various projects despite industry or product specificity. He suggests that an analysis of past bugs is critical in preventing future ones. He draws from Bayesian probability to argue that understanding existing data helps in projecting future occurrences with greater accuracy.

Critique of Current Security Metrics

Cielas discusses the inadequacy of current two-dimensional security metrics in capturing the complex nature of vulnerabilities. These metrics fall short when it comes to multidimensional evaluation, consequently offering limited information. They typically combine variables that should be independent, such as probability and impact, which can result in an oversimplified assessment.

Halborne's Blockchain Vulnerability Scoring System

Halborne's approach enriches the Common Vulnerability Scoring System (CVSS) with blockchain-specific metrics. The new system adds categories like deposit effect, yield effect, reversibility, and whether the issue is isolated or systemic. This nuanced breakdown fosters a better understanding of how vulnerabilities function in the blockchain environment.

Common Solana Vulnerabilities

Cielas explains the common vulnerabilities found in programs running on Solana and the importance of proper checks and validations to avoid them. He points out that bug prevention is essential—even for well-known issues—to maintain integrity and security in blockchain projects.

Facts + Figures

• Piotr Cielas is the Director of Security at Halborne, responsible for enterprise security and serving as a security engineer and advisor for blockchain projects.
• The talk focuses on using historical data to predict and prevent future security issues in projects.
• The Bayesian probability concept is highlighted as a mathematical approach to forecasting potential project vulnerabilities.
• Cielas critiques commonly used two-dimensional risk matrices for their oversimplified representation of risks.
• Halborne developed a Blockchain Vulnerability Scoring System, improving upon the CVSS by adding blockchain-specific metrics.
• One in five vulnerabilities has some impact on a project's deposit funds.
• If a vulnerability does affect the yield, 40% of the time, it can be devastating to the project.
• Integrity appears to be the most affected attribute by vulnerabilities in projects.
• Most attacks are simple to execute and predominantly involve local issues rather than systemic ones.
• Piotr Cielas discussed specific types of vulnerabilities related to Solana, such as account owner check missing and signer check missing.

Top quotes

• "We see, time and time again, there are similarities across projects."
• "The bugs that we see do seem to occur in projects regardless even of the industry and the product's fit in the market."
• "Convenience matters more, it's easier to convey the message to people that are not so fixed on mathematics."
• "We sort of took the best of both worlds and came up with a blockchain vulnerability scoring system."
• "Most of the attacks are rather simple to exploit."
• "Unfortunately, most of the attacks are irreversible, and there's nothing you can do to recover the funds."
• "Every single auditor that I've talked to, the very first advice that they give is never to forget the common Solana vulnerabilities."

Questions Answered

What is the main focus of Piotr Cielas's talk at Breakpoint 2023?

The main focus of Piotr Cielas's talk is to provide insight into common vulnerabilities across projects and industries and introduce a more sophisticated, blockchain-specific vulnerability scoring system to predict and prevent future security issues more effectively.

Why are current security metrics considered inadequate by Piotr Cielas?

Current two-dimensional security metrics are considered inadequate because they fail to capture the multifaceted nature of vulnerabilities and often mix independent variables, leading to oversimplified risk assessments. Piotr Cielas proposes a more comprehensive approach that takes into account various dimensions of blockchain-specific vulnerabilities.

How does Halborne's Blockchain Vulnerability Scoring System differ from CVSS?

Halborne's Blockchain Vulnerability Scoring System builds upon the Common Vulnerability Scoring System but includes additional categories tailored to blockchain-specific concerns, including deposit effect, yield effect, reversibility, and systemic impact, allowing for a deeper understanding and analysis of vulnerabilities in blockchain projects.

Why is it essential to understand common vulnerabilities in Solana-based programs?

Understanding common vulnerabilities in Solana-based programs is crucial because these bugs, if unchecked, can severely compromise the security of a blockchain project. Proper validation and checks can prevent these vulnerabilities and protect the integrity and funds within the ecosystem.

What practical advice does Piotr Cielas offer to prevent security breaches in blockchain projects?

Piotr Cielas advises that developers should not assume common vulnerabilities are universally addressed. Instead, they should actively include necessary validations and checks, such as signer verification and avoiding account type confusion, as part of their code to ensure the security and stability of blockchain projects.