The test helped bring the safety of the service to a new level and protect the system from possible attacks.
One of the key requirements for our voting service is security. Every voter has to be sure that their vote has been counted, while the organizer needs complete protection from possible interference and fraud.
The Waves Enterprise team therefore decided to subject the recently-launched voting service to a battery of tests run by an external party.
“It was vital for us to make sure that the service doesn’t have any vulnerabilities that attackers could exploit to obtain confidential user data, decipher ballots, or in any way have an impact on the voting process and outcome,” says Artem Kalikhov, Waves Enterprise CPO.
Selecting the testing partner
Waves Enterprise’s partner in testing the security of the voting service was Deteact. The main reason for choosing Deteact was previous successful collaboration with the company.
Deteact is a relatively new company that focuses on security audits for software, web apps and network infrastructure. The Deteact team additionally has experience in auditing smart contracts and blockchain-based solutions. Omar Ganiev, Deteact founder and CEO, has more than 13 years of experience in the information security field.
“We saw our task as testing the implementation of the service’s software, without going deeply into blockchain cryptography,” Ganiyev explains. “Most attacks are conducted through classic web interfaces, and we therefore simulated an external attack on the system, with the web interface as the entry point.”
The tests were run with the use of various tools, as well as in manual mode.
The following areas were covered by the tests:
- Client app safety
- Smart contract logic vulnerability
- Voting process operation
- Infrastructure safety (software, libraries)
The testing process took around three weeks and resulted in the discovery of several vulnerabilities.
“The vulnerabilities were found not in the blockchain, but in the classic web interface — specifically, in the part responsible for user registration and data storage,” says Ganiyev. “And those vulnerabilities were quite typical of web apps.”
“The two most critical vulnerabilities that we uncovered were the risk of personal user data leakage and cross-site scripting, which could allow an attacker to perform actions in the app in a user’s name,” he added.
Another, lesser vulnerability would allow an attacker to make changes to a voting invitation sent by a vote organizer. A further vulnerability was uncovered that would potentially enable adding the same voter several times.
Finally, Deteact found a vulnerability that would potentially leave the service open to a DDOS attack with limited resources.
Once uncovered, the vulnerabilities were addressed by the service’s developers and re-checked by the testing team.
“The interaction with the Waves Enterprise team was smooth and productive,” commented Ganiyev.
“We always pay special attention to the security of our solutions, and the tests run by Deteact helped to make our voting service even more reliable and protected from outside interference,” Kalikhov concludes. “We are satisfied with our collaboration with Deteact and plan to use their services again in the future.”