♠️
RACE Protocol
NFT PresaleDiscord
  • ❤️Official Docs & Links
  • ⏳Progress Overview
  • RACE Protocol
    • 🏗️System Architecture
      • Components
      • On-chain Accounts
      • Synchronization
      • Randomization
      • Payment
    • 🎲Game Development
      • Game Handler
      • Effect
      • Event Handling
      • Race API
        • Arweave Integration
      • Race JS SDK
        • Installation and Setup
        • Key Components
          • AppClient
          • SubClient
          • Events
          • Game Context
          • Decryption Cache
        • Advanced Features
          • Getting Revealed Knowledge
          • Exiting and Detaching
          • Submitting Messages
          • Sub-game Interaction
        • Best Practices
        • API Reference
        • Troubleshooting
    • 🧪Testing
      • Race Test Kit
      • Unit Testing
      • Integration Testing
      • Additional Considerations
    • 🧱Modules & Features
      • Encryption Methods
      • Command-line Tools
      • Configuration Options
      • Blockchain Transport Implementations
    • 📃Smart Contract
      • Solana Program
    • 🔦Examples and Use Cases
      • Draw Card Game
      • Raffle Game
      • Other Examples
  • RACE Games
    • ♠️RACE Poker app
      • 🎮Start playing in minutes
        • 💰Cash and sit-n-go
        • 🏆Tournaments
      • 🎨Workshop
        • 🏆Create cash games
        • 🏨Create tourneys
      • 💡Concept introduction
      • 🏗️System architecture
      • 👾Game Flow
      • 🎲Cards shuffling
      • ☎️Communication
      • 🔐Key sharing/decryption
      • 💱Cash flow structure
    • ⚡Solfast
      • 🎲Game modes
  • RACE RESEARCH
    • 👾No-Code Development
      • Brainstorming
      • Implementation Approach
      • Project Status
    • 0️⃣Zero-Knowledge Proofs
      • Brainstorming
      • Integration steps
        • Verifiable Randomness Generation
        • Private Game State Updates
        • Verifiable Settlements
        • Private Player Actions
      • Project Status
    • 🛡️Security Audit Report
      • Executive summary
        • Introduction to Race Protocol
        • Audit Methodology
      • Findings
        • Smart Contract Security
        • WebAssembly Security
        • Client-side Security (Race SDK)
        • Server-side Security
        • Randomization and Encryption
        • On-chain Account Management
        • Synchronization Mechanisms
        • Payment Handling
      • Recommendations
      • Conclusion
  • RACE DAO
    • 😎About
    • 🫂Community
    • 🖼️NFT Collection [!]
Powered by GitBook
On this page
  1. RACE RESEARCH
  2. Security Audit Report
  3. Findings

Randomization and Encryption

This section assesses the security of the mental poker algorithm implementation in Race Protocol, focusing on its ability to generate unpredictable and verifiable randomness. Additionally, the audit evaluates the strength of the encryption methods used for communication and data protection.

Findings:

Medium:

  • [ID] Potential for bias in randomness generation if servers collude.

    • Description: The mental poker algorithm relies on the assumption that servers are independent and do not collude. If multiple servers collude and share their secret keys, they could potentially influence the outcome of the randomization process.

    • Impact: Collusion among servers could lead to predictable or biased randomness, compromising the fairness of games that rely on it.

    • Recommendation: Implement additional measures to mitigate the risk of server collusion. This could involve:

      • Increasing the number of servers: Having a larger number of servers from different owners reduces the impact of collusion by any subset of servers.

      • Introducing verifiable random functions (VRFs): VRFs provide a cryptographic guarantee that the generated randomness is unpredictable, even if some servers collude.

    • Code Reference: Randomization logic in race-core/src/random.rs and server interaction in transactor/src/component/wrapped_client.rs.

Low:

  • [ID] Reliance on a single encryption algorithm for data protection.

    • Description: Race Protocol primarily uses ChaCha20 for encrypting game state data and custom events. While ChaCha20 is a strong and efficient algorithm, relying on a single encryption method can increase the risk if vulnerabilities are discovered in the future.

    • Impact: If a vulnerability is found in ChaCha20, the confidentiality and integrity of game data could be compromised.

    • Recommendation: Consider adopting a hybrid approach that combines multiple encryption algorithms, such as ChaCha20 and AES, to provide defense in depth and mitigate the risk of a single point of failure.

    • Code Reference: Encryption logic in race-encryptor/src/lib.rs.

Prioritization:

  • Addressing the potential for bias in randomness generation due to server collusion should be prioritized as it directly impacts the fairness of games built on Race Protocol.

  • Diversifying the encryption methods used for data protection is a good security practice but can be considered a lower priority compared to addressing the collusion risk.

Overall Assessment:

  • The mental poker algorithm implementation in Race Protocol appears to be sound and provides a good foundation for generating verifiable randomness.

  • However, the reliance on server independence and the use of a single encryption algorithm are potential weaknesses that should be addressed to further enhance the security and fairness of the protocol.

PreviousServer-side SecurityNextOn-chain Account Management

Last updated 1 year ago

🛡️