oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
4a1e39dd3cd5c02fa509ba2a2cc6db16a72c281d
aitbc/docs/security/SECURITY_VULNERABILITIES.md
aitbc 19d415a235
Some checks failed
Blockchain Synchronization Verification / sync-verification (push) Failing after 3s
Details
CLI Tests / test-cli (push) Failing after 3s
Details
Cross-Chain Functionality Tests / test-cross-chain-sync (push) Successful in 2s
Details
Cross-Chain Functionality Tests / test-cross-chain-transactions (push) Successful in 3s
Details
Cross-Chain Functionality Tests / test-cross-chain-bridge (push) Has been skipped
Details
Cross-Chain Functionality Tests / test-multi-chain-consensus (push) Successful in 2s
Details
Cross-Chain Functionality Tests / aggregate-results (push) Has been skipped
Details
Deploy to Testnet / deploy-testnet (push) Successful in 1m12s
Details
Documentation Validation / validate-docs (push) Failing after 8s
Details
Documentation Validation / validate-policies-strict (push) Successful in 3s
Details
Integration Tests / test-service-integration (push) Successful in 2m6s
Details
Multi-Chain Island Architecture Tests / test-multi-chain-island (push) Successful in 2s
Details
Multi-Node Blockchain Health Monitoring / health-check (push) Failing after 4s
Details
P2P Network Verification / p2p-verification (push) Successful in 4s
Details
Package Tests / Python package - aitbc-agent-sdk (push) Successful in 32s
Details
Package Tests / Python package - aitbc-core (push) Successful in 14s
Details
Package Tests / Python package - aitbc-crypto (push) Successful in 12s
Details
Package Tests / Python package - aitbc-sdk (push) Successful in 9s
Details
Package Tests / JavaScript package - aitbc-sdk-js (push) Successful in 8s
Details
Package Tests / JavaScript package - aitbc-token (push) Successful in 17s
Details
Python Tests / test-python (push) Successful in 15s
Details
Security Scanning / security-scan (push) Successful in 27s
Details
Node Failover Simulation / failover-test (push) Successful in 7s
Details
Multi-Node Stress Testing / stress-test (push) Successful in 6s
Details
Cross-Node Transaction Testing / transaction-test (push) Successful in 4s
Details
feat: add SQLCipher database encryption support and consolidate agent documentation 
- Add SQLCipher encryption for ait-mainnet database with configurable flag
- Add db_encryption_enabled and db_encryption_key_path config settings
- Implement encryption key loading and PRAGMA key setup via connection events
- Add shutdown_db function for proper database cleanup
- Export middleware classes in aitbc/__init__.py
- Fix import path in sync.py for settings
- Remove duplicate agent documentation from docs
2026-05-03 12:00:38 +02:00

12 KiB
Raw Blame History

AITBC Security Vulnerabilities

Date: April 13, 2026
Severity: CRITICAL
Status: OPEN

Database Manipulation Vulnerability

Issue: Direct database manipulation is possible to change account balances without cryptographic validation.

Current Implementation

Database Schema Issues:

CREATE TABLE account (
    chain_id VARCHAR NOT NULL,
    address VARCHAR NOT NULL,
    balance INTEGER NOT NULL,
    nonce INTEGER NOT NULL,
    updated_at DATETIME NOT NULL,
    PRIMARY KEY (chain_id, address)
);

Security Problems:

  1. No Cryptographic Signatures: Account balances are stored as plain integers without signatures
  2. No State Root Verification: No Merkle tree or state root to verify account state integrity
  3. No Transaction Validation: Balance changes can be made directly without transaction processing
  4. No Encryption at Rest: Database is accessible with standard file permissions
  5. No Integrity Constraints: No foreign keys or constraints preventing manipulation
  6. Mutable State: Account balances are stored as mutable state instead of derived from transaction history

Why This Should Not Be Possible

In a proper AI trust blockchain:

  • Account balances should be derived from transaction history, not stored as mutable state
  • State should be verified via Merkle trees/state roots in block headers
  • Database should be encrypted or have strict access controls
  • Balance changes should only happen through validated transactions with proper signatures
  • Cryptographic signatures should protect all state changes
  • State root verification should validate entire account state against block headers

Proof of Vulnerability

The following operations were successfully executed, demonstrating the vulnerability:

# Direct account creation without transaction validation
sqlite3 /var/lib/aitbc/data/chain.db "INSERT INTO account (chain_id, address, balance, nonce, updated_at) VALUES ('ait-testnet', 'ait10a252a31c79939c689bf392e960afc7861df5ee9', 1000, 0, datetime('now'))"

# Direct balance manipulation without transaction validation
sqlite3 /var/lib/aitbc/data/chain.db "UPDATE account SET balance = 10000000 WHERE address = 'aitbc1genesis'"

# Account deletion without transaction validation
sqlite3 /var/lib/aitbc/data/chain.db "DELETE FROM account WHERE address = 'ait10a252a31c79939c689bf392e960afc7861df5ee9'"

Impact:

  • Anyone with database access can create arbitrary balances
  • No cryptographic proof of balance ownership
  • No audit trail of balance changes
  • Violates fundamental blockchain security principles
  • Compromises trust in the entire system

Missing Security Measures

1. Cryptographic Signatures

Missing: Account state changes should be signed by private keys Impact: Unauthorized balance modifications possible

2. State Root Verification

Missing: Merkle tree or state root to verify account state integrity Impact: No way to detect tampering with account balances

3. Transaction-Only State Changes

Missing: Balance changes should only occur through validated transactions Impact: Direct database manipulation bypasses consensus mechanism

4. Database Encryption

Missing: Database stored in plain text with file-system permissions only Impact: Physical access allows complete compromise

5. Integrity Constraints

Missing: No cryptographic integrity checks on database state Impact: Silent corruption or tampering undetectable

6. Derived State

Missing: Account balances should be computed from transaction history, not stored Impact: Mutable state can be manipulated without trace

Proposed Security Fixes

Immediate (Critical)

  1. Implement State Root Verification

    • Add Merkle tree for account state
    • Include state root in block headers
    • Verify state root against account state on every block

  2. Add Cryptographic Signatures

    • Sign all state changes with private keys
    • Verify signatures before applying changes
    • Reject unsigned or invalidly signed operations

  3. Transaction-Only Balance Changes

    • Remove direct account balance updates
    • Only allow balance changes through validated transactions
    • Add transaction replay protection

Medium Term

  1. Database Encryption

    • Encrypt database at rest
    • Use hardware security modules (HSM) for key storage
    • Implement secure key management

  2. Access Controls

    • Restrict database access to blockchain node only
    • Add authentication for database connections
    • Implement audit logging for all database operations

Long Term

  1. Derived State Architecture

    • Redesign to compute balances from transaction history
    • Store immutable transaction log only
    • Compute account state on-demand from transaction history

  2. Formal Verification

    • Add formal verification of consensus logic
    • Implement zero-knowledge proofs for state transitions
    • Add cryptographic proofs for all operations

Impact Assessment

Trust Impact: CRITICAL

  • Compromises fundamental trust in the blockchain
  • Users cannot trust that balances are accurate
  • Undermines entire AI trust system premise

Security Impact: CRITICAL

  • Allows unauthorized balance creation
  • Enables double-spending attacks
  • Bypasses all consensus mechanisms

Financial Impact: CRITICAL

  • Can create arbitrary amounts of AIT coins
  • Can steal funds from legitimate users
  • Cannot guarantee asset ownership

Recommendations

  1. IMMEDIATE: Disable direct database access
  2. IMMEDIATE: Implement state root verification
  3. IMMEDIATE: Add transaction-only balance changes
  4. SHORT TERM: Implement database encryption
  5. MEDIUM TERM: Redesign to derived state architecture
  6. LONG TERM: Implement formal verification

Status

Discovery: April 13, 2026
Reported: April 13, 2026
Severity: CRITICAL
Priority: IMMEDIATE ACTION REQUIRED

This vulnerability represents a fundamental security flaw that must be addressed before any production deployment.

Implementation Progress

Phase 1 (Immediate Fixes) - COMPLETED April 13, 2026

1.1 Database Access Restrictions + Encryption

  • Added DatabaseOperationValidator class for application-layer validation
  • Implemented restrictive file permissions (600) on database file
  • Added database encryption key environment variable support
  • Restricted engine access through get_engine() function
  • File: /opt/aitbc/apps/blockchain-node/src/aitbc_chain/database.py

1.2 State Root Verification

  • Implemented Merkle Patricia Trie for account state
  • Added StateManager class for state root computation
  • Updated block creation to compute state root (consensus/poa.py)
  • Added state root verification on block import (sync.py)
  • Files:
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/state/merkle_patricia_trie.py
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/consensus/poa.py
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/sync.py

1.3 Transaction-Only Balance Changes

  • Created StateTransition class for validating all state changes
  • Removed direct balance updates from sync.py
  • Removed direct balance updates from consensus/poa.py
  • Added transaction replay protection
  • Added nonce validation for all transactions
  • Files:
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/state/state_transition.py
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/sync.py
    • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/consensus/poa.py

Security Tests Added

  • Database security tests (file permissions, operation validation)
  • State transition tests (replay protection, nonce tracking)
  • State root verification tests (Merkle Patricia Trie)
  • Files:
    • /opt/aitbc/apps/blockchain-node/tests/security/test_database_security.py
    • /opt/aitbc/apps/blockchain-node/tests/security/test_state_transition.py
    • /opt/aitbc/apps/blockchain-node/tests/security/test_state_root.py

Phase 2 (Short-Term) - COMPLETED - May 3, 2026

2.1 Database Encryption Implementation - SQLCIPHER ENCRYPTION SUCCESSFULLY IMPLEMENTED

Solution: SQLCipher database-level encryption (replacing failed file-level encryption approach).

Why SQLCipher:

  • SQLite extension that supports encryption at the database level
  • Maintains SQLite's internal format while encrypting data
  • Resolves the corruption issues with file-level encryption
  • Compatible with SQLAlchemy/SQLModel

Implementation Details:

  • Dependency: Added sqlcipher3-binary >= 1.2.0 to /opt/aitbc/pyproject.toml
  • Configuration: Added db_encryption_enabled flag to ChainSettings in /opt/aitbc/apps/blockchain-node/src/aitbc_chain/config.py
  • Database Layer: Updated /opt/aitbc/apps/blockchain-node/src/aitbc_chain/database.py to use SQLCipher when enabled:
    • Uses sqlcipher3 as SQLite module
    • Sets encryption key via connection event (PRAGMA key)
    • Only applies to ait-mainnet chain
  • Migration Tool: Created /opt/aitbc/apps/blockchain-node/scripts/migrate_to_sqlcipher.py:
    • Uses SQLCipher's built-in sqlcipher_export function
    • Properly encrypts existing databases without corruption
    • Creates backup before migration

Key Management:

  • Encryption key stored in /etc/aitbc/secrets/db_encryption.key (32-byte AES-256 key)
  • Key file permissions: 600 (owner read/write only)
  • Key format: Raw binary bytes, converted to hex for SQLCipher
  • Configuration: db_encryption_enabled=true in /etc/aitbc/.env

Migration Process:

# Stop service
systemctl stop aitbc-blockchain-node.service

# Generate encryption key
python3 /opt/aitbc/apps/blockchain-node/scripts/migrate_database_encryption.py generate-key --key-path /etc/aitbc/secrets/db_encryption.key

# Migrate database to SQLCipher
python3 /opt/aitbc/apps/blockchain-node/scripts/migrate_to_sqlcipher.py --db-path /var/lib/aitbc/data/ait-mainnet/chain.db --key-path /etc/aitbc/secrets/db_encryption.key

# Enable encryption in config
echo "db_encryption_enabled=true" >> /etc/aitbc/.env

# Start service
systemctl start aitbc-blockchain-node.service

Testing Results:

  • SQLCipher encryption module installed and functional
  • Migration tool created and functional
  • Database successfully migrated to SQLCipher format
  • Service starts and operates correctly with encrypted database
  • Database integrity verified (all 5 tables accessible: block, transaction, receipt, account, escrow)
  • No corruption issues
  • Service logs show normal operation (genesis block at height 0, head at height 38, block processing tasks started)

Implemented Components:

  • /opt/aitbc/pyproject.toml - Added sqlcipher3-binary dependency
  • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/database_encryption.py - Key management (retained for other file types)
  • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/config.py - db_encryption_enabled flag and db_encryption_key_path
  • /opt/aitbc/apps/blockchain-node/src/aitbc_chain/database.py - SQLCipher integration with connection event
  • /opt/aitbc/apps/blockchain-node/scripts/migrate_database_encryption.py - Key generation (retained)
  • /opt/aitbc/apps/blockchain-node/scripts/migrate_to_sqlcipher.py - SQLCipher migration tool
  • /opt/aitbc/apps/blockchain-node/tests/security/test_database_encryption.py - Unit tests (21/21 passing, retained for key management)

Comparison with File-Level Encryption:

  • File-level encryption: Corrupted SQLite databases due to incompatible file structure
  • SQLCipher: Encrypts at database level, maintains SQLite internal structure
  • File-level encryption: Manual encryption/decryption workflow
  • SQLCipher: Transparent to application, automatic encryption on connection

Current Status:

  • SQLCipher encryption successfully implemented and operational
  • Database encrypted at rest using AES-256
  • Service operating normally with encrypted database
  • No corruption or performance issues observed
  • Ready for deployment to other mainnet nodes

Phase 3 (Medium-Term) - PENDING

  • Derived state architecture redesign

Phase 4 (Long-Term) - PENDING

  • Formal verification

Notes

  • Chain reset is required for full deployment of Phase 1 fixes
  • Existing blocks do not have state roots (will be computed for new blocks)
  • State root verification currently logs warnings but accepts blocks (to be enforced in production)
  • Direct database manipulation is now prevented through application-layer validation
  • File permissions restrict database access to owner only