Today I continue to review “LocalCrypto” (former “LocalEthereum”) by applying “System” (Security- Velocity- Engineering- Transparency) sub-rating.
According to their white paper this platform consists of three layers: the “centralised”, “cryptography” (end‐to‐end encryption) and “blockchain” (escrow smart contracts).
One of the reasons I’ve noted this white paper is that its authors openly pointed out some of their platform’s shortcomings.
Extract: “LocalEthereum is not a completely decentralised system. Instead, it’s a blend of centralised and decentralised components to construct a cocktail of security and usability. … The Centralised layer is mainly used to store and transport encrypted payloads and metadata.”
Trending Cryptocurrency Hub Articles:
Their “centralized component” consists mainly of servers, DBs and, of course, of API. Authors remarked: “(we keep) in mind that centralised systems can be compromised or replaced.” To avoid that “LocalEthereum is designed so that no sensitive information is disclosed to the centralised layer” (f.e. the sender signature is verified each time the front‐end is showing messages).
Authors elaborate: “The primary attack vector we need to consider when managing keys in the browser is the possibility of malicious code being injected into the website.” To prevent this they naturally restrained themselves from using third‐party‐hosted scripts (like Google Analytics or Google Maps) and utilize “all the HTTP and BGP security mechanisms available” (f.e. x509 public key pinning and DNSSEC). Not sure, however, that those standard measures can really interfere with dedicated attackers plans.
Additionally, as this paper goes authors continuously warn their users from violating basic security protocols (like using weak or reused passwords)
However, when authors pointed out that they engage the smart contracts based escrow account to avoid the risk of that “some clients may be scammers”, while users are allowed “to trade directly with each other without any third party”, they neglect to mention that smart contracts themselves present the large attack surface.
Overall, despite of all those major and minor defects, I still think that “LocalCrypto” / “LocalEthereum” can be rated “b” on the “Engineering” scale, because it, basically, designed “to do its job”. As to security, I think that authors have compromised it for usability. Hence, “c+”.
As to “Transparency” I appreciate very much the fact that authors boldly expose protocol’s deficiencies and lack of decentralization. However, I’m not ready yet to issue them a credit of my confidence and rank “c+”. System’s “Velocity” is, simultaneously, enhanced by first layer’s mostly centralized character and slowed downed by its “blockchain” layer (“b”).
Result for “System” (Security- Velocity- Engineering- Transparency): c+/b/b/c+
For detailed blockchain industry reports and projects analytics visit our platform: https://svetrating.com
For more information and community talks on this subject join our Whitepapers analysis Telegram group: https://t.me/joinchat/I5eQ-A6FSC2vXg_PNgFwJw
or my Twitter: https://twitter.com/SvjatoslavSedof
… also if you’re residing somewhere in the South Bay, CA, please, join our meetup group: https://www.meetup.com/South-Bay-Decentralized-Finance/