Web3’s decentralized nature brings about exciting opportunities, but it also presents significant security challenges worth considering. Some of these risks include insufficient encryption, smart contract hacking, privacy concerns, private key loss, phishing attempts, scalability challenges, and uncertainties surrounding regulations.
Addressing these concerns involves adopting secure practices like using secure wallets, handling private keys with caution, and staying informed about potential threats. Neodyme’s River Guard protocol for the Solana ecosystem is a key initiative in realizing this vision.
Thomas Lambertz, Co-founder of Neodyme, and Nico Grundel, Co-founder and Security Researcher of Neodyme, made a presentation of their latest security tool designed to enhance the security of smart contracts on the Solana blockchain at Breakpoint 2023.
The tool aims to automatically identify and mitigate vulnerabilities, particularly those that can lead to simple yet potentially devastating exploits.
Based in Paris, France, Neodyme is a software development firm with a focus on democratizing blockchain technology and enhancing business processes through no-code solutions.
The company aims to make blockchain technology accessible to every industry by providing tools for learning and building inside Web3. It also emphasizes security, offering deep-dive audits, cutting-edge research, and training services to enhance software security.
Problem with smart contract security
Speaking at the Breakpoint, Lambertz highlighted the challenges in securing smart contracts, recognizing the complexity of auditing and reviewing code for each contract, particularly given the extensive number of contracts on the Solana network.
He noted the observation that some exploits are surprisingly simple, requiring only minor manipulations by attackers to achieve significant gains. Similarly, River Guard’s strategy involves automating the identification of these simple yet exploitable bugs by simulating user interactions with contracts, similar to how a hacker might explore vulnerabilities.
The tool focuses on mimicking user interactions with smart contracts through the River feature, which leverages the usage patterns of other users on the network. By observing and mutating successful transactions, River Guard aims to automatically detect exploitable patterns and vulnerabilities.
Technicalities of River Guard
Nico went on to discuss the technical aspects of River Guard, describing the process of transaction ingestion, mutation, and the various mutation rules implemented in the tool. He also shared insights into a real-world scenario where River Guard identified and helped fix a vulnerability in a Solana casino protocol.
The case involved a self-transfer vulnerability in a casino’s deposit mechanism. Grundel walked through the steps of how River Guard detected and exploited the vulnerability, emphasizing the tool’s role as a starting point rather than a conclusive determination of a contract’s security. He also revealed the need for manual triage and the importance of collaboration between the tool’s findings and human expertise.
The security researcher also lauded the impact of River Guard on Solana, highlighting that the tool’s effectiveness has been validated by 19 confirmed findings, all of which were promptly addressed.
