ArConnect 完成源代码审计，称安全是重中之重

Cointime · 2024-06-19T06:53:09.000Z

作者： ArweaveB 翻译： Haocheng Xu 审阅： Kyle 来源：内容公会 - 翻译 ArConnect 项目宣布已完成对其源代码的审计，并成功修复了暴露出的问题。 ArConnect 是 Arweave 生态系统中的领先钱包，是 2023 年 8 月接受安全审计的第一个钱包。它表示，第二次审计已于 2024 年 4 月进行，为期 12 天，安全性是首要任务。 Community Labs 的 CEO Tate Berenbaum 称这份报告很“扎实”，并且它“比任何使用指标都重要得多”。最新的审计结果由 Spearbit 和 Open Security 进行，并在 Open Security 风险评估中发布。审计的目的是识别任何外部方可能利用的攻击 ArConnect 浏览器扩展的潜在方法。报告指出，审计使用了由开放式 Web 应用程序安全项目（OWASP）开发的方法。整个审计是在 Google Chrome 浏览器上进行的，安装了 ArConnect 浏览器扩展的开发版本。审计人员开发了定制的恶意概念验证，用于测试怀疑存在漏洞的情况。他们还修改并测试了带有恶意修改源代码的 Connect 浏览器扩展开发版本，托管了带有恶意负载的 Web 服务器，并调试了浏览器扩展。安全审计发现零个关键风险，一个高风险和五个信息性漏洞。然而，报告指出所有发现的问题都已修复至仅为信息性严重性。在描述审计中被评为高风险的开源依赖项漏洞时，审计人员指出，依赖项的安全性也是软件供应链的一部分，是一个主要的攻击面。报告指出，供应链可以在开发过程中的任何时候通过攻击开发者工具本身的恶意软件或简单地在软件中引入漏洞来影响产品的安全性。 “ArConnect 的主要风险来源于开源依赖项中的漏洞，”审计人员指出，并补充说，“Community Labs 必须持续更新并应用开源依赖项的上游补丁，以防止供应链攻击。” 审计人员还建议进行代码更改以加强 Connect 浏览器扩展。 🏆 “捉虫”有奖：在本文发现错字、病句、描述有误，点我报告，可得激励。 🔗 关于 PermaDAO：官网 | 入口 | Twitter | Telegram | Discord | Medium | Youtube

Author: ArweaveB
Translation: Haocheng Xu
Reviewer: Kyle
Source: Content Guild - Translation
The ArConnect project announced that it has completed an audit of its source code and successfully fixed the issues that were exposed.
ArConnect, the leading wallet in the Arweave ecosystem, was the first wallet to undergo a security audit in August 2023. It said the second audit was conducted in April 2024 over a 12-day period, with security being the top priority.
Community Labs CEO Tate Berenbaum called the report "solid" and said it was "far more important than any usage metric."
The results of the latest audit were conducted by Spearbit and Open Security and published in the Open Security Risk Assessment. The purpose of the audit was to identify potential methods of attack against the ArConnect browser extension that could be exploited by any external party.
The report states that the audit used a methodology developed by the Open Web Application Security Project (OWASP). The entire audit was conducted on the Google Chrome browser with the development version of the ArConnect browser extension installed.
The auditors developed a custom malicious proof-of-concept for testing suspected vulnerabilities. They also modified and tested a development version of the Connect browser extension with maliciously modified source code, hosted a web server with a malicious payload, and debugged the browser extension.
The security audit found zero critical risks, one high risk, and five informational vulnerabilities. However, the report states that all issues found have been fixed to only informational severity.
In describing the open source dependency vulnerabilities rated as high risk in the audit, auditors noted that the security of dependencies is also part of the software supply chain and is a major attack surface. The report states that the supply chain can impact the security of a product at any time during the development process, either through malware that attacks the developer tools themselves or by simply introducing vulnerabilities into the software.
“ArConnect’s primary risk stems from vulnerabilities in open source dependencies,” the auditors noted, adding that “Community Labs must continuously update and apply upstream patches to open source dependencies to prevent supply chain attacks.”
Auditors also recommended code changes to strengthen the Connect browser extension.
🏆 "Catch Bugs" to Get Rewards: If you find typos, incorrect sentences, or incorrect descriptions in this article, click here to report them and you will get rewards.
🔗 About PermaDAO: Official Website | Portal | Twitter | Telegram | Discord | Medium | Youtube

Explore More From Creator

Latest News

Explore More From Creator

Latest News

Trending Articles