Beacon SDK Audited By Least Authority
The Beacon SDK has successfully undergone an audit by the security research company Least Authority.
In collaboration with the AirGap team, Least Authority conducted an audit of the tzip-10 Typescript implementation Beacon SDK.
The tzip-10 standard defines the interaction between a wallet and an application. Enabling users to sign operations with their favorite tzip-10 compatible wallet prompted by the application.
Audit Findings And Remediation
The detailed report, its findings and remediations can be found here.
In total 5 issues have been identified by Least Authority. 3 of these have been resolved, 1 has been partially addressed and 1 was consciously not resolved.
The following reported issues have been considered by the AirGap team but only partially or not resolved. Details on these finding are available in the audit report.
Partially Resolved — Issue B: Provided Tezos Networks Could Run Over Unsecured HTTP
The documentation has been updated to reflect the insecurity of HTTP with a recommendation that developers should warn their users if an insecure connection is being used.
However, enforcement the use of HTTPS was not made, given that developers may want to enable local testing of applications using Beacon SDK, utilizing the HTTP protocol, and setting up a secure connection would require considerable effort.
Unresolved— Issue C: Avoid Conversion Operations on Generated Keys
Due to the chosen infrastructure changing the approach on how generated keys are handled by introducing a second set of keys would result in radical changes of the infrastructure and complexity.
The impact that this would have should not be as substantial as that it would warrant such a drastic change in the system.
Least Authority suggested 4 changes where 2 of them have been addressed and two will be addressed in the future.
Unresolved — Suggestion 1: Custom Matrix Integration uses Outdated API
The suggestion has been acknowledged and a mitigation will be implemented in the future
Unresolved — Suggestion 4: Add End-to-End Integration Tests
As there are no critical UI components in the reviewed version, the necessity for end-to-end tests was low. But with new features under development at the moment, this will change and end-to-end tests will be implemented.
Security in projects like these is crucial. We want to thank Least Authority for providing this audit report and their valuable feedback. Additionally our thanks go out to all the developers that have independently provided feedback to the Beacon implementations and the tzip-10 standard.
Do you want to try Beacon?
You can try out Beacon by using the Beacon Extension, the Beacon Example dApp and AirGap Wallet.
Do you have any questions about Beacon? Join our Telegram group or directly reach out to us.
Interested in a secure wallet solution for Tezos ? Take a look at AirGap.