We express our gratitude to the Vital Wallet team for the collaborative engagement that enabled the execution of this dApp Security Assessment.
NEO is a blockchain platform that supports the development of digital assets and smart contracts.
Document
Review Scope
The system users should acknowledge all the risks summed up in the risks section of the report
Each package has its own README, providing clear and detailed information on setup and usage.
Code comments are present to explain complex logic and important functions.
The project is well-organized into packages, making it easy to navigate and understand.
Code is divided into packages and modules, promoting reusability and maintainability.
Presence of test files indicates a focus on verifying functionality.
Configuration files for ESLint and Prettier ensure consistent code style and formatting.
Separate environment files for development and production enhance security and flexibility.
NEO is a blockchain platform that supports the development of digital assets and smart contracts. It is often referred to as a "smart economy" platform because it integrates digital assets, digital identities, and smart contracts into a unified ecosystem.
Key Features:
NEO supports smart contracts written in multiple programming languages, making it accessible to a wide range of developers.
NEO integrates digital identity, providing verifiable digital certificates for identity verification.
NEO uses the Delegated Byzantine Fault Tolerance (dBFT) consensus mechanism, which is designed to be fast and efficient.
NEO aims to provide interoperability across different blockchains, allowing seamless interaction and data exchange.
The platform utilizes two native tokens, NEO and GAS, which serve different purposes within the ecosystem.
Root Files
.editorconfig
: Configuration for code editors to ensure consistent coding styles across different IDEs and editors.
.gitignore
: Specifies intentionally untracked files to ignore in Git.
.prettierrc.js
: Configuration file for Prettier, a code formatting tool.
.yarnrc.yml
: Yarn configuration file for managing dependencies.
LICENSE
: Contains the terms and conditions for using the project.
README.md
: Provides a high-level overview of the project, including setup instructions and usage details.
lerna.json
: Configuration for Lerna, a tool for managing JavaScript projects with multiple packages.
nx.json
: Configuration file for Nx, a set of extensible dev tools for monorepos.
package.json
: Lists the project's dependencies and scripts.
tsconfig.json
: TypeScript configuration file specifying compiler options.
yarn.lock
: Lock file for ensuring consistent installations across environments.
VSCode Configuration
.vscode/settings.json
: Workspace settings for Visual Studio Code, specifying editor preferences for this project.
README.md
: Documentation specific to the snap package.
jest.config.js
: Configuration for Jest, a JavaScript testing framework.
package.json
: Dependencies and scripts specific to the snap package.
snap.config.ts
: Configuration file for snap.
snap.manifest.json
: Metadata about the snap, such as permissions and initial data.
getAccount.ts
: Retrieves account information.
getNetworks.ts
: Fetches network data.
index.ts
: Entry point of the snap package.
invoke.ts
: Contains functionality to invoke blockchain operations.
invokeMulti.ts
: Handles multi-invocation of blockchain transactions.
signMessage.ts
: Logic for signing messages.
signMessageWithoutSalt.ts
: Signs messages without a salt value.
signTransaction.ts
: Handles transaction signing.
state.ts
: Manages state within the snap package.
types.ts
: Defines TypeScript types for the snap package.
admin/switchNetwork.ts
: Allows switching between different networks.
ui/customUI.ts
: Contains custom UI components.
asserts.ts
: Helper functions for assertions.
constants.ts
: Defines constants used throughout the snap package.
convertors.ts
: Functions to convert between different data formats.
env.ts
: Manages environment variables.
errors.ts
: Error handling utilities.
keyPair.ts
: Functions related to key pair management.
logger.ts
: Logging utility functions.
serializer.ts
: Handles data serialization.
signingProvider.ts
: Manages signing providers.
url.ts
: URL manipulation utilities.
wallet.ts
: Wallet management utilities.
constants.test.ts
: Unit tests for constants.
invoke.test.ts
: Unit tests for invocation functionality.
README.md
: Documentation for the wallet adapter.
package.json
: Lists dependencies for the wallet adapter.
tsconfig.json
: TypeScript configuration for this package.
custom.d.ts
: Custom TypeScript declarations.
index.ts
: Entry point for the wallet adapter package.
snapOrigin.ts
: Handles origin verification for snaps.
types.ts
: Defines TypeScript types for wallet adapter.
.env.development / .env.production
: Environment variables for different environments.
.eslintrc.js:
ESLint configuration for code linting.
.gitignore / .prettierrc.js
: Similar purpose as root, specific to this package.
README.md
: Documentation for the wallet site package.
i18n.json
: Internationalization configuration file.
next.config.js
: Configuration for Next.js framework.
package.json
: Dependencies for the wallet site.
postcss.config.js
: Configuration for PostCSS, a tool for transforming CSS.
tailwind.config.ts
: Configuration for Tailwind CSS framework.
tsconfig.json
: TypeScript configuration file.
locales/en/common.json
: English translations for localization.
src/assets
: Contains images and icons used in the project.
react-app-env.d.ts:
React environment TypeScript declarations.
app/
: Contains main application components, pages, and styling.
components/
: Reusable UI components.
history/
: Components related to transaction history.
wallet/:
Wallet-specific components and pages.
config/:
Configuration files for environment and snap.
dapi/
: DAPI (Decentralized API) integration.
hooks/:
Custom React hooks for various functionalities.
store/
: State management using stores.
types/:
TypeScript type definitions.
utils/:
Utility functions for various operations.
Code ― | Title | Status | Severity | |
---|---|---|---|---|
F-2024-5217 | Insecure Private Key Handling in SigningNetworkProvider | Fixed | High | |
F-2024-5216 | Insecure Private Key Handling | Fixed | High | |
F-2024-5005 | Non-literal Regular Expression (ReDoS) | Fixed | Medium | |
F-2024-5213 | Improper Environment Configuration | Fixed | Low | |
F-2024-5006 | Insufficient Input Validation | Fixed | Low | |
F-2024-5004 | Vulnerable Dependencies | Fixed | Low | |
F-2024-5365 | Improve TypeScript Configuration Settings | Accepted | Observation | |
F-2024-5233 | Imprecise Dependency Versioning | Fixed | Observation | |
F-2024-5228 | Missing Author Information in Package Metadata | Fixed | Observation | |
F-2024-5226 | Unhandled Promise Rejection | Fixed | Observation |
Severity
Description
Severity
Description
Severity
Description
Severity
Description
The scope of the project includes the following files from the provided repository:
Scope Details
Snap