Meet Scout
Scout, or Scout Audit, is a tool for finding security vulnerabilities in smart contracts developed by CoinFabrik Research. It was born out of a collaboration with the Laboratory on Foundations and Tools for Software Engineering (LaFHIS) at the University of Buenos Aires where we worked on surveying what static analysis tools could be developed to find issues in NEAR smart contracts, which are based on Rust.This work was followed in 2023 by a series of grants financed by Web3 Foundation and Aleph Zero Ecosystem Grants, that led to the release of our open-source vulnerability detector for smart contracts in the ink! smart contract language. We named the tool Scout.
In comes Stellar: for the last months we worked on supporting the detection of security issues in Soroban code in smart contracts written for the Stellar network.
Our development includes a set of relevant vulnerability examples and associated detectors, complemented with a CLI and a VSCode Extension in order to help smart contract developers and auditors identify common security issues and deviations from best practices during development.
Stellar Soroban: A new environment but the same principles
Scout is built on top of a linter. Each of our “detectors” is nothing but a lint. We realized that the detection principles used in the development of detectors for Scout could be applied in a straightforward way to any blockchain whose smart contract language was based on Rust.
Scout linter is currently Trail of Bits’ Dylint. Dylint is a static analyzer that connects to the Rust compiler and makes available the High-Level Intermediate Representation and the Mid-level Intermediate Representation, which allow capturing many vulnerabilities quite accurately. These lints, designed to detect specific classes of vulnerabilities, are files that are integrated to the tool during compilation. Hence, there is no barrier for any contributor to add new lints, or detectors, as we call them. This feature of Scout’s architecture makes it easy for it to adapt to many Rust-based blockchain.
This is why, after perfecting a version of Scout for Polkadot’s ink! Language, we were able to extend Scout for Stellar Soroban smart contracts, also based on Rust.
Challenges in an unexplored terrain
We started our work in early November 2023, almost two months before Soroban’s first stable release. Soroban smart contracts were an unexplored terrain, not only for us CoinFabrik, but also for most blockchain developers. This raised a question: How were we going to find vulnerabilities in Soroban smart contracts, when very few smart contracts had been written in the first place? How were we going to make Scout a valuable companion for newcomers to this community?
The approach we took was radically different from what we would have done in an established blockchain, with many deployed smart contracts. Instead of going into the wild, looking for existing smart contracts with vulnerabilities, Scout had to look inward, back into its memories from previous blockchain landscapes, anticipating possible pitfalls and dangers, in the dark.
This is where our auditing experience at CoinFabrik came useful. Using as a scaffolding our auditing analyses categories and previous experience building Scout in other blockchains, we could anticipate which types of vulnerabilities could be realized in this unexplored terrain. We didn’t need, for this prototype, to find vulnerable smart contracts in the wild, we simply had to incarnate into Soroban vulnerability examples that we knew existed in other blockchains and create associated detectors. These are warnings on the new vulnerability map for newcomers to beware of.
This approach leaves out vulnerabilities inherent in Soroban smart contracts, but for this prototype it was sufficient. As new smart contracts start to populate this environment and manual audits with public reports are performed, we will be able to incorporate this growing knowledge base as detectors to Scout.
Pitfalls and Flags; Vulnerabilities and Detectors
With this approach in mind, we worked on flagging possible pitfalls in this environment. We developed a list of 12 vulnerability classes. For each vulnerability class we have at least one test case smart contract with an instance of the vulnerability, a second smart contract that “fixes” this vulnerability, and a detector which correctly detects the vulnerability in the first one and does not trigger an alarm in what we call the remediated example. A summary of these vulnerabilities, test-cases and detectors can be found in our Detectors Table.
Among the vulnerabilities covered, key categories include Arithmetic vulnerabilities, where operation precision issues and overflows can lead to incorrect computations; Validations and Error Handling vulnerabilities, such as improper use of error-handling methods leading to program crashes; Authorization and Best Practices vulnerabilities, highlighting risks from unauthorized access and deviations from standard coding practices; and Denial of Service (DoS) risks, where unbounded operations can exhaust system resources, disrupting service availability. These vulnerabilities underscore the critical need for vigilant coding, robust error handling, and strict access controls to ensure the security and reliability of smart contracts and blockchain applications.
Not all smart contract languages are the same, and some vulnerabilities do not easily translate into Soroban. This was particularly evident when we attempted to replicate Delegate Call attacks, which we could not perform due to the absence of a delegatecall() function or equivalent mechanisms enabling the creation of proxy contracts. In the case of Reentrancy, we found only one instance of self-reentrancy applicable to Soroban smart contracts, which did not constitute a vulnerability.
Conclusion
On the path to bringing Scout to Soroban, we encountered the challenge of building vulnerability detectors for smart contracts that had never been constructed in the environment. Fortunately, Scout’s architecture, coupled with our prior knowledge of blockchain and Rust-based vulnerabilities, proved to be a solid foundation for this prototype.
The CLI and VSCode extension make Scout a reliable companion for new developers or auditors entering this ecosystem. We will continue our work, increasing the number of detectors and vulnerabilities covered, and enhancing the usability of the tool for teams new to the ecosystem.
Try Scout!
Whether you’re an entry-level developer or a seasoned expert, Scout is the perfect tool to enhance your Soroban smart contract projects. Designed with ease of use in mind, Scout offers a seamless installation process, allowing you to focus on what matters most: creating innovative and secure smart contracts.
We understand the importance of community and support in the development process. That’s why we’re committed to being there for you every step of the way. Have questions or need assistance? Reach out to us through our GitHub for detailed queries, follow our journey and updates on Twitter, connect with our team on LinkedIn, or drop us a message through our contact form on the Scout page.
Your feedback and usage help Scout evolve. By choosing Scout, you’re not just getting a tool; you’re joining a growing community dedicated to making Soroban smart contract development safer and more accessible.
Download Scout for Soroban [here] and start your journey towards smarter contract development. Let’s build a secure future together!
Further Reading
[1] Vulnerability Detection in ink! Programming Language
[2] Bigger, Better and Faster Vulnerability Detection in ink! Programming Language
