Beam Security Audits — Results

As a privacy-focused company, we prioritize the Beam’s users safety.

Last update: December 27th, 2018

Beam builds a confidential and scalable coin designed for people, so security is vital.

With our expected launch, we would like to share the results of the two commissioned security audits, we did so far.

Scope

We are releasing the final reports of each external Security Auditor we contracted with to review our code.

Beam’s code has been reviewed so far by:

  • Kudelsky Security LTD — Q4 2018
  • Least Authority LTD — Q4 2018

Kudelsky Security — Abstract

“Beam hired Kudelski Security to perform a security assessment of their blockchain, providing access to source code and documentation.

The repository concerned is https://github.com/BeamMW/beam. We specifically audited commits and changed to commit ec633b71 during the work, because of the significant changes that occurred on the codebase during the audit.

This document reports the security issues identified and our mitigation recommendations, as well as our general assessment of the implementation and architecture.

A “Status” section reports the feedback from Beam’s developers and includes a reference to the patches related to the reported issues.

We report:
• 2 security issues of medium severity
• 7 security issues of low severity
• 10 observations related to general code safety”

The audit was performed by Dr. Jean-Philippe Aumasson, VP Technology, jointly with Yolan Romailler, Cryptography Engineer, and involved 20 person-days of work.

To read the complete report, please click here.

Least Authority LTD — Abstract

Least Authority performed a security audit of Beam’s implementation of the Mimblewimble protocol, written in C++ and uses the Equihash Mining algorithm. The audit was performed by Least Authority team members Ramakrishnan Muthukrishnan, Meejah, and Jan Winkelmann in collaboration with the Beam team members Alex Romanov, Vladislav Gelfer, and Artem Gorbachev from October 1 — November 9, 2018; the initial audit report was issued on November 14, 2018 and an updated report was issued on December 24, 2018 following the discussions, updates made by Beam and the verification performed Least Authority.

Overall, the code was found to be well structured and cleanly separated into different namespaces (i.e. wallet, Beam, ECC). Additionally, there are unit tests for critical modules like node, wallet, p2p protocol, and ECC, which are an important aspect to a quality codebase, which helps to reduce the risk of code errors that are potentially exploitable.

Several issues and suggestions were identified throughout the duration of the audit which are documented in detail in the “Beam Implementation Final Audit Report”. Beam has acknowledged and resolved or responded to each of the issues and suggestions, assuring Least Authority that they are aware of the risks and vulnerabilities which were found to currently exist in the codebase and plan to publish the report findings with the community.

It is recommended that there be further analysis on the unresolved and partially resolved Issues and Suggestions in the report and that they are addressed as soon as possible. Additionally, it is recommended that the codebase be further improved by a focus on readability, increasing test coverage report generation, generally increasing the number of comments and properly vendoring dependencies.

It is commendable that Beam supports third-party security reviews and agrees that future audits continue as changes and features are introduced to the codebase to optimize the security of the Beam implementation.”

To read the complete report, please click here.

And from here?

Beam is still under development (and will be for the foreseeable future) thus we encourage the community to help the network to identify potential vulnerabilities by submitting a report here or by alerting the team and the community on our community channels on Gitter, Discord or Telegram.

We want to thank the amazing teams at Least Authority and Kudelski for their insightful comments and suggestions. They helped us build our code better. We are satisfied with the audit returns and positive feedbacks and will continue to do everything to make Beam as secure as possible.