This article serves as a case study of how Open Security, a guild on Cantina offering traditional Web2 security services, conducted a time-critical, client-tailored source code review and penetration test on ArConnect - a non-custodial Arweave native wallet by Community Labs - to meet product rollout timelines.
Through Cantina, companies, projects, and agencies alike will be able to submit requests to a wide and open marketplace, quickly receive quotes from multiple parties, and hire freelance talent directly via a reputation system that allows individuals and groups to stand out on their merit alone.
Open Security is an award-winning, veteran-owned cybersecurity firm servicing clients worldwide. With decades of experience defending networks from the latest threats, their mission is to make cybersecurity accessible.
Community Labs is a software development company and venture studio focused on accelerating developer tools, use cases, and adoption of Arweave. One of their products, ArConnect, is an Arweave-native wallet extension that provides a non-custodial wallet and asset management in your favorite browser. The extension allows Arweave wallet holders to interact with any dApps without sharing their private keys with them. The isolated environment that ArConnect creates is not only a security improvement for users, but it also provides a more seamless login flow for applications.
In the realm of the Web3 ecosystem, a myriad of projects are placing an intense focus on enhancing the security of their blockchain infrastructures. This emphasis on fortifying blockchain ecosystems has been a pivotal development, but it has also become increasingly clear that there is a pressing need to address the security concerns inherent in the traditional Web2 framework. The foundational role that Web2 plays in the burgeoning Web3 ecosystem necessitates this heightened attention to its security elements.
Before the summer of 2023, Cantina’s customers needed to seek and evaluate independent companies to perform traditional penetration testing and Web2 security services. While Cantina and its clients maintain high technical skillsets and security resources, no organization can do it all. Open Security complements the already robust capabilities of Cantina and its clients by providing a holistic approach to cybersecurity, with a focus on traditional penetration testing and Web2 security.
A truly secure environment is built not just by addressing existing vulnerabilities but by proactively identifying and mitigating both legacy (Web2) and contemporary (Web3) threats. The need for traditional vulnerability management, penetration testing, and traditional source code reviews is evident as key figures and protocols are suffering from front-end / server-side exploits, account takeovers, credential/key theft, social engineering, and many other attack vectors that we should be increasingly mindful of.
Open Security leveraged the Cantina Guild Service, a model where each guild, operates as a unique security services provider, having its own set of standards to ensure quality. This creates a more systemic deal flow for guilds where Cantina can efficiently allocate the security needs of clients towards industry experts depending on the available skillsets across guilds.
The testing phase was initiated on July 3, 2023, and concluded on July 17, 2023. This period was marked by a review of the source code to identify vulnerabilities, followed by dynamic testing to validate the potential susceptibilities identified. A comprehensive examination of the source code revealed robust coding practices, with only a single high-severity finding in the extension identified. Although several hardening measures were identified throughout the testing process, the robust technology stack and architecture effectively mitigate multiple vulnerabilities, thereby allowing for an extended timeline for issue resolution.
Community Labs demonstrated a strong commitment to addressing the identified issues, successfully resolving all five findings, inclusive of informational findings, within two weeks of the initial report delivery. During the above-mentioned period, the team identified a total of 5 issues in the following risk categories:
Critical Risk: 0
High Risk: 1
Moderate Risk: 1
Low Risk: 0
Informational: 3
The Cantina team had a positive experience working with Open Security. The Open Security team was professional and communicative and ensured that they were aligned with the client’s goals and desired results. The Open Security team provided comprehensive updates to the Community Labs team and was very keen on ensuring that support after the engagement was thorough and responsive.
The Open Security team did an excellent job in providing mitigation recommendations as well as continuing to dive into vulnerabilities identified after the review had already been completed. We want to recognize Open Security for going the extra mile and attest to their commitment to quality traditional security services.
The clarity of Open Security's reports set them apart. Each identified vulnerability was comprehensively detailed yet articulated in a manner that is clearly understood, irrespective of technical proficiency. The true distinction, however, lay in the interactive discussions and walkthroughs with the Community Labs team; the collaborative spirit between Cantina and Open Security was most evident during remediation efforts. Traditionally, the process involves stages – from report review to planning and then to the execution of mitigation strategies. Due to changes in client rollout timelines, Open Security’s tailored their standard approach, empowering client remediation to happen in tandem with the reporting process.
In retrospect, Open Security wasn't just an external reviewer for us; they’ve emerged as strong partners in securing our clients’ infrastructure and we are excited for continuing to engage with them in the future.
Below we highlight Open Security’s experience with Cantina as a traditional penetration testing firm rather than a smart contract security services provider.
Open Security's experience working through Cantina has been exceptionally positive. The platform offers a seamless and user-friendly interface, making it a pleasure to work with. One of the most significant advantages is the peace of mind it provides – Cantina ensures that clients brought to us are of high quality, sparing us the need to worry about client credibility or trustworthiness from the outset.
Cantina's platform excels in flexibility, facilitating smooth collaboration with clients like Community Labs. It provides a direct avenue for communication, allowing Open Security to interact with Community Labs seamlessly. Importantly, Cantina's approach respects our autonomy and never interferes with our communication or work processes, always remaining a helpful resource in the background.
Working with Cantina has significantly reduced the sales overhead for Open Security. We no longer need to invest time and effort in finding and developing client relationships. Instead, Cantina streamlines the process by handling paperwork, NDAs, billing, and payment processing. Notably, Cantina's use of an escrow payment system benefits both Open Security and clients like Community Labs. It ensures payment security for clients, knowing they won't release funds until a satisfactory job is done, while also assuring that we'll receive timely payment for our services.
One of the standout features of Cantina is that it keeps our established work processes intact. Our engagements with clients through Cantina remain consistent with our usual methods, which is highly beneficial. Cantina ensures excellent communication by providing dedicated communication channels tailored to each engagement, fostering an environment that supports robust quality assurance. It actively focuses on the client's needs and the flow of communication, ultimately enhancing the overall client experience.
Open Security's collaboration with Cantina has not only streamlined the client acquisition process but has also provided a secure and efficient platform that values flexibility, direct communication, and quality assurance. Cantina has significantly reduced the sales burden, allowing us to focus on delivering top-notch cybersecurity services while maintaining peace of mind regarding client credibility and financial security.
Cantina plans to continue engaging with Open Security security researchers to protect and secure the traditional Web2 security infrastructure of leading Web3 protocols due to their commitment to client experience, review quality, and responsiveness. Web2 security plays a foundational role in the ever-growing Web3 ecosystem and must be taken seriously to properly provide a robust security posture for any protocol.
Open Security is a trusted cybersecurity partner that ensures projects, like ArConnect, are fortified in the face of evolving digital threats. This recent collaboration exemplifies their unwavering dedication to bolstering the security of Web3 projects’ underlying Web2 ecosystems. In today's dynamic digital landscape, robust security is paramount, and Open Security's expertise bridged the gap between Web3 technologies and the security of traditional Web2 infrastructures.
In the transition from Web2 to Web3, addressing vulnerabilities inherent in legacy technological architectures is paramount. Open Security possesses deep expertise in identifying and rectifying these gaps, ensuring Web3 initiatives are built upon a robust and secure foundation. As the digital landscape advances, it's essential to have a partner who comprehensively understands the nuances of both worlds. Open Security's mission is to secure a diverse range of organizations, addressing their multifaceted security needs.
For Cantina, we've discovered a steadfast partner who effectively safeguards our team's interests.
If you’re interested in reading the full report from OpenSecurity’s security review of Arcconnect, the report is viewable here.
We can’t wait to change the web3 security landscape for the better. Come see what the best security talent across Web3 has to offer by visiting us at:
The Cantina 🪐