Input Output (IOHK), research and development arm of Cardano Blockchain platform, today, April 24, has released a report of vulnerabilities discovered and remediated during the phase 1 and phase 2 of a third-party security audit of Cardano ecosystem and its recently launched Byron Reboot, done by Root9B (R9B).
The public disclosure of vulnerabilities aims to spur transparency and security across this nascent industry and to demonstrate that Cardano is being built to the most exacting standards of security and assurance.
Charles Hoskinson, CEO of IOHK, said:
“It is vital that the blockchain industry lives up to its own vision of open and decentralised systems when it comes to the process of building blockchains. Companies must not prioritise secrecy and speed to market over security because vast sums of money and even lives will depend on the software we produce. The industry must open its software development up to third-party audit and share knowledge of vulnerabilities for the benefit of the wider industry as well as user confidence. In this spirit, we chose to commission a third-party audit of the Byron Reboot of Cardano and to publicly disclose the vulnerabilities we found and the fixes we applied.”
On April 5, Charles Hoskinson sat down to give an update on the work of IOHK on Cardano. He told the community that the company was taking remediation steps to fix the major problems discovered by R9B crew. He said the audit report would be release publicly, giving the date of April 17, after the permission of RB9.
On April 17, Charles Hoskinson informed that a formal response, titled “Response to Security Audit Report (Byron Reboot)”, listing remediation steps and mitigating clarifications to the identified areas of concern in the Phase 1 and Phase 2 audit reports, had been sent to R9B, that needed confirmation by the auditor. Thus, the public of the audit report would take place within the next week. The report has finally emerged today.
On April 21, R9B published a document, titled as IOHK Mitigation Verification, reviewing the remediation step taken by IOHK. According to the document, R9B found 13 potential issues with the reliability of Cardano Blockchain and Byron Reboot, which all has been fixed and cleared by the auditor.
These issues include:
Insecure Genesis Key Generation Code
IOHK said that code in question was only for testing and quality assurance and not for production keys. IOHK has also altered original code to use secure key generation. R9B approves this step.
Code Practice – ReadFile
R9B confirmed that IOHK remediation fully address this issue.
Potential Resource Usage/Denial of Service (DoS)
R9B confirmed that the alteration made by IOHK confirms this issue.
Potential Protocol Incompletion – Static Node Set
IOHK clarified that code in question was only for testing.
Primitive Usage – Mock Crypto
IOHK said that Mock was not for production. Real mock implementation is coming next. R9B approves this resolution.
Other vulnerabilities include Weakened protections – CSP in electron app Daedalus, Blake Hash function only performed once when applying a spending password, address randomization suggestion, a potential future issue with payment URI, theoretical denial of service (DoS) vulnerability, issues with updating process, vulnerability with IOHK’s monitoring web frontend.
All the vulnerabilities have been mitigated and confirmed by R9B team.
If you found this article interesting, here you can find more Cardano News