- IOHK, the development firm of Cardano, has revealed the results of the security audit for the Byron reboot code by Root9b and explained how the problems identified were resolved.
- In total, Root9b uncovered 13 vulnerabilities, with IOHK either issuing mitigating clarifications or having already made the fix.
In a report shared with Crypto News Flash, Input Output Hong Kong (IOHK), the company responsible for developing Cardano, revealed 13 vulnerabilities in the Byron Reboot code. These were uncovered and successfully fixed by Root9b during phases 1 and 2 of the security audit for the Byron Reboot code.
In order to increase transparency and security across the industry, IOHK has also decided to publish its mitigation strategy to encourage greater cross-sector collaboration in identifying and mitigating common vulnerabilities. Charles Hoskinson, CEO of IOHK, emphasized in reference to the publication of the audit results that this is of “critical importance” to meet the blockchain industry’s principles of an open and decentralized system, which is why the results were published:
Companies must not prioritise secrecy and speed to market over security because vast sums of money and even lives will depend on the software we produce. The industry must open its software development up to third-party audit and share knowledge of vulnerabilities for the benefit of the wider industry as well as user confidence. In this spirit, we chose to commission a third-party audit of the Byron Reboot of Cardano and to publicly disclose the vulnerabilities we found and the fixes we applied.
Root9b finds 13 vulnerabilities in the code of the Byron reboot
In the statement, shared with Crypto News Flash, on the security audit of the Byron reboot code by Root9b, IOHK has commented on each vulnerability found and described how the bug was fixed or issued a mitigating clarification. Root9b has already acknowledged all changes as resolved.
- Insecure Genesis key generation: Root9b has discovered that the generation of the Genesis key had a vulnerability. IOHK has clarified that the code in question was only intended for testing and quality assurance purposes and not for the mainnet, as well as made a change to the code for secure key generation.
- Code practice in relation to the ReadFile: A vulnerability in connection with the ReadFile was detected by Root9b and also fixed by changes.
- Code practice and potential resource usage related to Async Read
- Potential resource utilization/ Denial of Service (DoS)
- Potential protocol incompleteness – static node set: IOHK has made clear that the code was for testing purposes only.
- Primitive use of Mock Crypto: IOHK has confirmed that the mock implementations are not intended for use in production and that real implementations are imminent.
- CSP related vulnerabilities in the Electron App Daedalus: Root9b has identified alleged weak security measures related to the Content Security Policy (CSP). According to IOHK, this is a valid requirement until Chrome WASM can function without it. Since this is not a vulnerability, R9B accepts the clarification.
- Blake hash function was executed only once when applying an output password: IOHK confirms that the connection from the Daedalus front-end to the Cardano Wallet back-end relies on TLS for password security during transfer and plans to discontinue Blake hashing.
- Address randomization: IOHK clarified that address randomization is used to avoid port conflicts, so root 9b also accepted this clarification.
- Potential future problems related to the payment URI (Uniform Resource Identifier): IOHK plans to address this potential problem area for code.
- Theoretical Denial of Service (DoS) vulnerability: The problem identified by Root9b is completely resolved with the implementation of the private slot leader by Ouroborous Praos (Shelley).
- Update process: Resolution by an update in April 2020.
- IOHK monitoring the load on the web frontend: IOHK has removed the interface and removed the code fragment.