Hi Everyone!
We, SRLabs would like to introduce ourselves: as a security consultancy, we have been making the world more secure from 2010 — you can read more about us and our research on our website: https://www.srlabs.de. Originally specialising in telecommunications security, now we are working with a wide range of clients and technologies, including blockchain.
We have been active in the Polkadot ecosystem from 2020; since then we have audited a number of parachains and independent Substrate-based blockchains, and have been continuously supporting Parity by auditing Substrate and Polkadot, as well as offering our security automation services in the Substrate Builders Program.
Started by a 2-month baseline assurance audit in early 2022 and followed by a continuous engagement since July, our blockchain team has been providing security auditing services to Centrifuge as well. Our work entails a hybrid approach of using dynamic, static and manual code analysis, as well as providing feedback on security related design decisions.
In summary, during the baseline assurance audit earlier this year we identified 12 security vulnerabilities in total, most of which Centrifuge mitigated in a timely manner, including all of the high severity issues. Among our findings there were best practice deviations from the substrate ecosystem standards (such as insufficient extrinsic weights and missing storage deposits), as well as bugs that could affect the core business logic of Centrifuge: as an example, an integer overflow bug allowed inverting the state of a loan and flag healthy loans as unhealthy, which was mitigated by the Centrifuge team by using safe math. You can find more details in our report deliverable [1].
Pleasure to meet you all!
[1] security/SRLabs-baseline-report_2022.pdf at main · centrifuge/security · GitHub