MeowSwap Technical Series: Audit Reports
Ensuring the security, quality and reliability of our systems is at the heart of our mission here at MeowSwap. In order to make sure your funds are safe, we commissioned two third-party auditing companies to attempt every method they could think of to attack our systems and report back their findings.
The auditing experts from both companies attempted to intercept private data, abuse systems, disrupt routine operations, and probe other security hazards by imitating cybercriminals in what is known in the industry as a “penetration test” or “pentest”. The findings of the penetration tests were used to identify security risks and uncover means of gaining unauthorized access to the target object (our DEX), its data, or other methods of breaching the security of the target.
The tests used a mix of manual and automated tools and methods to detect and attack the target environment’s vulnerabilities (Cardano full nodes). The primary vulnerabilities that were considered for testing are listed here: https://owasp.org/www-project-top-ten/
If you are short on time, the “TL;DR” is that even with the firewall and IP whitelisting turned off to give them a fighting chance; the simulated adversaries could not gain meaningful access or cause any harm to MeowSwap’s systems — It turns out cats are hard to pin down!
The article below contains the ‘cliff notes’ of the full audits — the documents themselves are linked at the end of the article.
Read on to find out how this kind of testing is achieved, the reasoning behind it and crucially; how well MeowSwap is secured against security threats!
The following categories were considered and tested by H-X Technologies:
Vulnerability testing: This phase’s goal was to find open-source and commercial security flaws in the target environment. Penetration testers identified hosts, services, and vulnerabilities during this phase. An invasive vulnerability testing phase may have been detected by any intrusion detection or monitoring systems on the client network.
Manual verification: Penetration testers employed manual ways to verify automated tool outputs and remove false positives. Penetration testers also employed manual testing to find subtle flaws. Manual verification is superior to using just automated methods. These sophisticated approaches may often detect false positives from automated programs.
Vulnerability exploitation: Penetration testers strive to exploit all discoverable flaws. Penetration testers perform exploits to achieve the specified aims of the penetration test, but they do not actively attack any vulnerability without the Customer’s authorization. Exploiting some flaws may reveal other flaws that need more testing to discover possible issues. Please note that penetration testers only follow this iterative method to the amount required to complete the evaluation.
Conclusions: The nodes were investigated and assessed as planned. It was concluded that Neither authorized nor unauthorized persons (attacker, invader) may create major security breaches to MeowSwap’s node infrastructure. Some minor vulnerabilities were detected. The technical These vulnerabilities were documented, analyzed and assessed.
A medium risk level may cause mild damage or provide otherwise private information about the target system. Assuming the attacker lacks desire or competence, or controls prevent exploiting the vulnerability — as is the case for MeowSwap’s nodes. Threat-related security issues of this type do occur in the industry, but are not possible in Cardano due to the way it is implemented in the formal programming language Haskell and by extension /Plutus. Reproducing an assault requires great skill and/or extenuating circumstances.
“The results of the assessment testify the industry standard high security level of the target nodes as of the date of the pentest project completion.”
Our second auditing partner Hexens focused on the following threat profiles:
- Server-side vulnerabilities
- Vulnerable or excessively open services
- Local Privilege Escalation vulnerabilities
- Network and Firewall configurations
- Operating system configurations
- Password Policy
- Out of date/vulnerable software
- Patch management
After considering these threats, Hexens concluded the following:
“The infrastructure and servers contained in the scope of work met security best practices and principles. Our experts found one minor issue and recommended a fix for it. Our expert’s opinion is that the scope can be considered as low-risk severity.”
You made it to the end, congratulations! Let us reward you with the link to the full audit reports for your viewing pleasure.
MeowSwap audits report: https://meowswap.gitbook.io/audits/