Quantstamp_RT-Monitor_Progress Report_Q2 2021

Quantstamp_RT-Monitor_Progress Report_Q2 2021

Summary

Quantstamp provided a Real-Time Security Monitoring Solution (RT-Monitor) to detect any abnormal transactions for the Klaytn blockchain. We customized the different types of analyses based on the needs of Klaytn and on the advice of its team. We were able to build a novel and new way to analyze Klaytn tokens and smart contracts.

RT-Monitor monitors for overflow issues (that may occur due to malicious minting or the batch-overflow bug), mint/burn events, and contract owner changes. As the RT-Monitor has been in production for Klaytn since December 2020, Klaytn has enhanced security monitoring abilities. Klaytn ecosystem and users benefit from our experience as researchers, software engineers, and security auditors. Quantstamp has observed the best processes and models for real-time monitoring solutions and other security measures, these methods have been implemented into the Klaytn real-time security monitoring solution.

This progress report summarizes the major maintenance and support activities during the second quarter of 2021.

Project Milestones and Schedule

Continued maintenance of the Real-Time Security Monitoring Solution.

Key Deliverables

Status Update

Monitored Tokens: 21

ABL, att, BFCK, BPT, CLBK, COSM, DTA, ISR, KSP, KDAI, MNR, KETH, KORC, KUSDT, KWBTC, PXL, WIKEN, SSX, TEMCO, KUSD, SKLAY

Maintenance & Supports:

● Quantstamp has changed the Alert settings of the RT-Monitor to reflect the changes of R&R in the Ground X team:
Remove: noel.baek@groundx.xyz
Add: uno.lee@groundx.xyz; benson.byun@groundx.xyz

● Checks have failed for some contracts as below:

[SKLAY] Previously Klaytn team responded that “SKLAY is minted by staking KLAY on https://klaystation.io/, so its behavior of supply changes is normal.”

[BPT] In Q1 The Quantstamp team looked further into the BPT token here: Klaytnscope. We are not entirely sure what the token is intended for, but there’s a very strange function which allows any user to mint any number of tokens. If you check out the contract source at the above link, on L592 we have:

○ Function
○ addTotalSupply(uint256 _value)
○ public {
○ _balances[msg.sender] =
○ _balances[msg.sender].add(_value);
○ _totalSupply = _totalSupply.add(_value);
○ }

○ For example, any user could invoke the function right now and add 10^255 tokens to their balance. This is likely a critical issue with the code.
⇒ In Q1 2021, the Klaytn team informed Quantstamp that the team will report this issue to the BlockPet project. Need to follow up to clear the issue!

[KSP, PXL] Quantstamp recommends the Klaytn team to investigate these checking failures.

Budget

● Q2 2021 Licensing Fee: 30,000 USD