Elixir Protocol

Findings · 22

1. 1 Use of outdated dependencies Informational
2. 2 Use of HTTP requests without timeout Informational
3. 3 Private keys stored in environment variables High
4. 4 Majority proposal group will always satisfy minimum size requirement High
5. 5 Authentication at risk of replay attacks if misconfigured High
6. 6 Strategy executor does not validate payload to sign High
7. 7 Missing IP address validation allows bypassing Redpanda ACL Medium
8. 8 Use of assert statement in production code Undetermined
9. 9 Redpanda accounts and associated permissions are never revoked Undetermined
10. 10 Delegators can redelegate stakes to jailed delegatee Medium
11. 11 Attackers can cause slashing to become economically infeasible Low
12. 12 Delegators can immediately undelegate before their delegatee is jailed High
13. 13 Minority validators may participate in consensus process High
14. 14 An influx of new strategy executors may halt consensus Medium
15. 15 Lack of two-step process for ownership transfers Informational
16. 16 Response payload to authentication challenge is not signed Informational
17. 17 API does not validate display_name and app_version Undetermined
18. 18 All on-chain events replayed upon startup Medium
19. 19 Redpanda exposed to the Internet High
20. 20 API has admin access to Redpanda High
21. 21 Use of unpinned third-party Docker images and actions on workflows Low
22. 22 Absence of access controls on pool creation function Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.