AirGap
Published in

AirGap

Beacon SDK Audited By Least Authority

The Beacon SDK has successfully undergone an audit by the security research company Least Authority.

In collaboration with the AirGap team, Least Authority conducted an audit of the tzip-10 Typescript implementation Beacon SDK.

The tzip-10 standard defines the interaction between a wallet and an application. Enabling users to sign operations with their favorite tzip-10 compatible wallet prompted by the application.

Audit Findings And Remediation

The detailed report, its findings and remediations can be found here.

👉 Beacon SDK audit report by Least Authority

Issues

In total 5 issues have been identified by Least Authority. 3 of these have been resolved, 1 has been partially addressed and 1 was consciously not resolved.

Considerations
The following reported issues have been considered by the AirGap team but only partially or not resolved. Details on these finding are available in the audit report.

Partially Resolved — Issue B: Provided Tezos Networks Could Run Over Unsecured HTTP
The documentation has been updated to reflect the insecurity of HTTP with a recommendation that developers should warn their users if an insecure connection is being used.

However, enforcement the use of HTTPS was not made, given that developers may want to enable local testing of applications using Beacon SDK, utilizing the HTTP protocol, and setting up a secure connection would require considerable effort.

Unresolved— Issue C: Avoid Conversion Operations on Generated Keys
Due to the chosen infrastructure changing the approach on how generated keys are handled by introducing a second set of keys would result in radical changes of the infrastructure and complexity.

The impact that this would have should not be as substantial as that it would warrant such a drastic change in the system.

Suggestions

Least Authority suggested 4 changes where 2 of them have been addressed and two will be addressed in the future.

Unresolved — Suggestion 1: Custom Matrix Integration uses Outdated API
The suggestion has been acknowledged and a mitigation will be implemented in the future

Unresolved — Suggestion 4: Add End-to-End Integration Tests
As there are no critical UI components in the reviewed version, the necessity for end-to-end tests was low. But with new features under development at the moment, this will change and end-to-end tests will be implemented.

Acknowledgments

Security in projects like these is crucial. We want to thank Least Authority for providing this audit report and their valuable feedback. Additionally our thanks go out to all the developers that have independently provided feedback to the Beacon implementations and the tzip-10 standard.

Do you want to try Beacon?

You can try out Beacon by using the Beacon Extension, the Beacon Example dApp and AirGap Wallet.

👉 Beacon Website
👉 Beacon SDK / Beacon SDK Documentation
👉 Beacon Extension
👉 Beacon Example dApp

Do you have any questions about Beacon? Join our Telegram group or directly reach out to us.

Interested in a secure wallet solution for Tezos ? Take a look at AirGap.

Beacon Website | GitHub | Telegram | AirGap Website | Twitter

--

--

--

Protect your crypto and store your private keys offline. It’s time to set up your safe place for your coins and get rewards.

Recommended from Medium

Digital Forensics: Accessing the Windows Registry with Python

Polyverse Weekly Breach Report

About EOS Keys

{UPDATE} Defense Tower Evolution 2 Hack Free Resources Generator

StarTerra Burning Festival Competition #2

IoT Security — Part 2 (101 — IoT Attack surface)

SSH Passwordless Login Using SSH Keygen(Mac and Linux )

🎙Crypto Crowd 2011 is pleased to announce our AMA with Yesports on May 25, 2022 at 10:00 AM UTC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
AirGap

AirGap

Secure Key Generation & Wallet

More from Medium

Boosted APY instructions

Onboarding Node Operators | Lido On Polygon

CIA Protocol Update #7

QuickSwap Monthly Newsletter: January 2022