Newrails EMT Stablecoin
Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
Coverage of Issues
Newrails EMT Stablecoin
Independent Security Assessment
01 Executive Summary
02 Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
03 Audit Methodology
The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.
• Project Diagnosis
Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.
• Manual Code Review
Reading your source code line-by-line to identify potential vulnerabilities.
• Specification Comparison
Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.
• Test Coverage Analysis
Determining whether the test cases cover your code and how much of your code is exercised.
• Symbolic Execution
Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.
Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.
04 Coverage of Issues
05 Finding Detailed Analysis
Signature Malleability Risk
Signature validation logic did not account for high-s values in ECDSA, presenting a potential malleability risk.
Use OpenZeppelin's ECDSA.recover library which correctly handles s-value range checks.
An attacker captures a valid 'permit' signature and mathematically transforms the 's' value to create a second valid signature for the same nonce. If nonces are not strictly invalidated, this could lead to duplicate executions.
BACKCODE ANALYTICS
Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.