Working with Jigstack
13 May 2021
Earlier this year, we collaborated with the team at Jigstack for a full penetration and load test of their services. For those of you unfamiliar with Jigstack, they have been called the “Microsoft of Decentralised Finance.”
Jigstack is a decentralised autonomous organisation (DAO) who govern a portfolio of Ethereum network assets and protocols. Any assets deployed into Jigstack are, as they say, “audited, non-custodial, trusted, and secure.”
When looking into the security of their services, they knew the importance of proper testing. Given the blockchain nature of decentralised finance or DeFi, once deployed – there is no going back. We were consistently impressed with the team’s professionalism and active awareness as we moved through testing.
The blockchain-based platform that Jigstack has developed is built upon the blockchain. You can learn more about blockchain here! But in short, it is effectively a list of records. With each record being a ‘block’ and being chained to the previous record or block – hence blockchain. The security of blockchain is in its decentralised nature, it’s hard to cheat.
But Jigstack itself has more than the blockchain. There are other parts that needed to be as secure as possible. Over our collaboration with the brilliant team at Jigstack, we worked on the web application, the integration of smart contracts, and the API itself.
As a custom-coded financial application, the Jigstack team knew that security couldn’t be half-baked.
We can’t say enough how professional the Jigstack team were and applaud their awareness of security needs. They granted us access to the full documentation concerning their scope as well as access to the application with some user privileges. This would fall under our White Box service, a full dive into the application, often including source code.
The Results of White Box Testing
Of course, we can’t give any actual details! But what we can say is the level of access and scope we were granted allowed us to really get our teeth into their application and services. These penetration tests focus on the identification and exploitation of security weaknesses. Usually, they would allow a malicious actor unauthorised access to vital user or organisation data.
Over the course of our testing, we discovered a variety of vulnerabilities. Several of these were deemed critical by our team and we passed on a comprehensive breakdown of our findings. In addition, we provide a list of recommendations to deal with these vulnerabilities which the Jigstack team took on board.
To give a bit more detail of our testing, we look for common vulnerabilities such as:
- Remote Code Execution
- SQL Injection
- Path traversal attacks
- File upload vulnerabilities
- Parameter tampering
- Access control flaws
- Transport layer security, Business logic, and Authentication flaws
- SMTP, Header, and JSON Injection
- XML Injection / Code Execution
But we also expanded to common smart contract and blockchain vulnerabilities such as:
- Re-entrancy Attacks
- Over & Underflow attacks
- Block Gas Limit
- Front Running
Load Testing Services
We also worked closely with the Jigstack team on load and performance testing. They were expecting a large amount of traffic and transactions daily. We engaged with the web platform to ensure it was able to handle a volume of users.
If you don’t know what load testing is, you can find more details here! In short, it is an orchestrated push of packets and user interactions onto a platform. The intention is to see when and where a system struggles or fails given a certain load.
Developing load test scripts to simulate real user behaviour we tested a variety of functionalities.These include:
- Account registration and login
- Activation of emails
- Campaign management (create, browse campaigns & transactions)
- Buying crypto tokens
Once finished, we provided detailed explanations and examples of how their platform had performed. For example, thanks to the load testing exercise, we were able to identify several issues that were causing bottlenecks when it came to handling large amounts of traffic.
We were able to provide a deep dive into our findings thanks to the trust put in our testing by the team at Jigstack. We’d like to extend our thanks again to them for giving us that trust.
It was a pleasure for us to engage with the Jigstack team and put their application to the test. Since their launch, Jigstack now has over 200,000 developers around the world contributing to and/or developing on their tech stack. We were delighted to be involved in ensuring the safety, security, and reliable performance of their platform.