Case Study: JACKAL

Notional provides extensive security audits for chain teams and has built a reputation in the Cosmos ecosystem for its ability to spot and call out security flaws. A recent example of this was when Jacob Gadikian reviewed the codebase for Jackal and found several potentially insecure aspects to the project's codebase. The Jackal team responded quickly and invited Jacob to provide a detailed security audit.

Jacob set out to determine several potential issues outlined here:

  • Make a hard determination if validator filesystems were put at risk
  • Determine level of interplay between rando http server and filetree and storage.
    • RESULT: I think that they weren't, and we should refactor these modules before putting them back into play.
  • Determine if user data or funds were put at risk and to what degreeRESULT: they weren't except in an adversarial economic attack scenario where an adversary attempts to drain liquidity from exchanges where jkl is listed by halting JKL.
  • Look at ibc transactions between jackal and osmosis
  • Look at history from secret network
    • RESULT:
      • mixed community feedback, mostly airdrop related, totally normal.
      • Team says they chose to build their own solution rather than use secret. This is fine too, that's their choice.
This requires our team to always have someone on call to respond to questions and emergencies with the STRIDE team. This engagement, like many others, has led Notional to aim for a 5-minute response time for customer questions. Of course, this target is hard to meet and we do not always meet it, but we maintain faster response times than most blockchain-related teams as a result of our efforts to meet this benchmark. Responsiveness is key to the Notional package.

The plan of action to assess Jackal is outlined here:
  • Support for IAVL
  • Support for authz integration
  • Support for chain upgade to v4
  • Auditing of pull requests
  • Dragonberry patching, and more…

The end result was that several modules were removed from the Jackal codebase and new code was added to ensure it was more secure going forward. A summary from the Jackal team can be found on their official Medium page.here.