Broken Access Control? No chance! See How QuillAudits Resolved 4 Critical Issues in Brahma Fi Console

Brahma Fi Console operates as a sophisticated modular infrastructure, designed to optimize decentralized financial operations with a focus on automation, user accessibility, and streamlined asset management. By leveraging advanced smart contract frameworks, Brahma facilitates seamless user interactions for portfolio management, liquidity aggregation, and reward distribution across various blockchain ecosystems.

Redefining DeFi Efficiency with Brahma Fi

Brahma Fi envisions transforming decentralized finance by delivering secure, efficient, and user-friendly solutions tailored for both individual and institutional participants. With a focus on scalability, automation, and precision, Brahma aims to simplify DeFi participation through robust infrastructure and seamless user experiences.

By minimizing inefficiencies and prioritizing operational reliability, Brahma Fi enables optimized token management, secure fund routing, and efficient gas usage, empowering users to interact confidently with DeFi protocols.

Enhancing Brahma’s Security and Reliability

During our audit, we identified critical issues impacting Brahma Fi's operational integrity, including broken access controls, ENS integration failures, and backend inefficiencies in contact management processes.

Prior to commencing the security assessment of BrahmaFi's decentralized application (dApp), the development team highlighted several critical areas of concern that warranted thorough examination. Their primary focus centered around two fundamental aspects of the platform's architecture:

Core Infrastructure Security

Authentication Mechanism Assessment The team emphasized the necessity of a comprehensive review of their user authentication system. This included evaluation of:

• Token-based authentication implementation
• Session management and timeout mechanisms
• Multi-factor authentication protocols
• Key management and storage practices
• Wallet connection security measures

Third-Party dApp Interactions A significant portion of BrahmaFi's functionality relies on interactions with external decentralized applications. The team requested particular attention to:

• Smart contract interaction validation
• External call security measures
• Transaction signing procedures
• Data validation for cross-platform communications

Requested Attack Vector Analysis

The BrahmaFi team specifically requested thorough testing against several high-priority attack vectors:

1. Cross-Site Scripting (XSS) Given the platform's web-based interface and interaction with multiple domains, XSS vulnerabilities could potentially expose users to malicious script injections and unauthorized account access.
2. SQL Injection Despite being a blockchain-based application, the platform's supporting infrastructure includes traditional databases that require protection against injection attacks.
3. Account Takeover Scenarios The team emphasized the importance of identifying any vulnerabilities that could lead to unauthorized account control, including:
   • Weak authentication bypass methods
   • Session hijacking opportunities
   • Compromised key recovery processes
4. Unauthorized Account Access A detailed examination of access control mechanisms was requested to ensure proper implementation of privilege boundaries and user permission systems.
5. Fund Security As a financial platform, preventing potential loss of user funds was paramount. This included analysis of:
   • Transaction validation mechanisms
   • Smart contract interaction security
   • Fund withdrawal processes
   • Emergency fund recovery procedures

Brahma Fi's Journey Through Our Audit Process

Our comprehensive audit was executed through the following steps:

1. Information Gathering

• Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
• Obtained a clear understanding of the Bramha Fi Console’s functionality and intended user interactions.
• Discussed client concerns and specific areas of focus for the audit.

1. Manual Code Review:
   • Conducted a line-by-line review of the smart contract code, focusing on:
     • Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
     • Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
2. Automated Testing:

Burp Suite Professional:

• Active Scan Configuration: Custom scan policies focused on Web3 vulnerabilities

Automated API Testing:

• Rate limiting verification
• Input validation checks
• Authentication bypass attempts

Session Management:

• Token strength analysis
• Session fixation tests
• Concurrent session handling

Automated Scan Coverage:

• Full crawl of authenticated and unauthenticated states
• API endpoint fuzzing
• Session token analysis

Key Tests:

• Business Logic Vulnerabilities
• Authentication and Authorization Flaws
• Insecure Direct Object References (IDOR)
• CSRF (Cross-Site Request Forgery) Testing
• File Upload and Inclusion Vulnerabilities
• API Security Testing
• Insecure Deserialization
• Sensitive Data Exposure
• Rate Limiting and Throttling Bypass
• Improper Input Validation
• Privilege Escalation
• Security Misconfiguration
• Clickjacking Protection
• Open Redirects
• Cryptographic Implementation Flaws
• Broken Object Level Authorization (BOLA)
• Insufficient Logging and Monitoring
• Server-Side Request Forgery (SSRF)
• Memory and Buffer Overflow Issues
• Insecure Use of Third-Party Libraries
• Directory Traversal Vulnerabilities
• Cross-site scripting (XSS) vectors
• Session management flaws
• Access control testing
• SQL injection
• Nmap Security Scanning

Service Detection:

• Port scanning and service enumeration
• SSL/TLS configuration analysis
• Script engine testing

Custom Testing Scripts

• Subdomain and IP based testing :
• WAF bypass
• Authorization to bypass admin privelege
• Automated CSRF Exploitation
• Business Logic Testing with Custom Workflow Rules
• Rate Limiting Bypass on Public Nodes
• Private Key Leakage Testing
• Unauthorized Transaction Injection
• Data Tampering in State Updates
• Mismatch Between Off-Chain and On-Chain Operations
• Incorrect Cryptographic Signature Verification
• Replay Attacks on Wallet Transactions
• Weak Random Number Generation for Nonces
• Security of Mnemonic Phrases
• Delay or Stale Data Injection

1. Reporting & Remediation:
   • Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
   • Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
   • Collaborated with the Brahma Fi team to prioritize and address the identified issues.
   • Conducted additional verification testing after vulnerability fixes were implemented.

QuillAudits' Strategic Approach to Brahma Fi’s Security Audits

Our approach to auditing Brahma Fi Console combined a security-first mindset, comprehensive threat modeling, and rigorous testing methodologies. By leveraging both white-box and black-box testing techniques, we conducted an in-depth assessment of the system. Throughout the process, we maintained transparency and clear communication with the Brahma Fi team, ensuring a collaborative and thorough security review.

Comprehensive Audit Discoveries and Remediation Strategies

Our comprehensive audit of these contracts revealed a total of 4 issues, categorised by severity:

• Medium Severity Issues (1): These issues pose a moderate risk and should be addressed promptly.
• Low Severity Issues (3): These findings provide valuable insights and recommendations for improvement.

The critical issues discovered during the audit are particularly interesting and demonstrate the complexity of the Brahma Fi's smart contracts.

Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:

Audit Findings

1. Broken Access Control

Description: The application suffers from a critical vulnerability in its API endpoints. Certain endpoints lack proper authentication and authorization mechanisms, allowing unauthorized access and manipulation of sensitive user data. Attackers can exploit this vulnerability to:

• Unauthorized Access to Sensitive Data: Gain access to data that they are not entitled to.
• Privilege Escalation: Elevate their privileges within the application.
• Modification of Other Users' Accounts: Modify or delete other users' accounts and data.

2. ENS Inaccessibility

Description: The application's contact addition feature is hindered by a technical issue. While it allows users to input ENS names for addresses, the system fails to process these inputs, leading to errors and preventing the successful addition of contacts.

3. Lack of Contact Deletion Confirmation

Description: The application's contact deletion functionality lacks a crucial security measure: confirmation. Except for the first two contacts, any subsequent contact can be deleted without user confirmation, potentially leading to accidental data loss.

4. Username Character Limit Bypass

Description: A vulnerability exists in the application's backend that allows users to bypass the frontend's username character limit. By manipulating the request, attackers can input excessively long usernames, potentially leading to system instability or unexpected behavior.

Remediation Strategies

1. Broken Access Control

To mitigate the broken access control issue, we implemented a comprehensive solution that enforces strict authentication across all API endpoints. We introduced role-based access control (RBAC) to limit user privileges according to their defined roles, ensuring that users only have access to data and actions appropriate to their level of authorization.

Checks were added to ensure that users could only modify or delete their own data. Unauthorized actions are now logged, and any attempts to access data without proper authorization are immediately blocked.

2. ENS Inaccessibility

The issue with the ENS contact addition feature was addressed by integrating a reliable ENS resolution library. This library now processes and resolves ENS names to Ethereum addresses correctly, allowing users to add contacts based on their ENS names without error.

If an ENS name cannot be resolved, the system now provides users with clear, informative error messages rather than simply failing or crashing.

3. Lack of Contact Deletion Confirmation

To prevent accidental deletions, we introduced a mandatory confirmation step for deleting contacts. Now, every time a user attempts to delete a contact, they are prompted with a confirmation dialog to verify that they intend to proceed.

4. Username Character Limit Bypass

To address the issue with the username character limit bypass, we reinforced the backend validation to strictly enforce the character limits for usernames. Now, the backend checks every incoming request to ensure the username adheres to the set character limit, thus preventing any overly long usernames from being submitted. On the database side, we added constraints to guarantee that the character limit is respected at all levels, even if an attacker manages to bypass the frontend validation.

Impressed by our findings and recommendations, the Brahma Fi developers promptly Fixed all identified vulnerabilities.

Through our collaborative efforts, the Brahma Fi Console project is now significantly more secure, ensuring the protection of user funds.

Conclusion

The Brahma Fi  Console Dapp Pentest security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Brahma Fi Team has taken a significant step towards securing its platform and safeguarding user trust.