Nano Protocol Security Audit Results

Summary and Full Red4Sec Report

Andy Johnson
Feb 2, 2019 · 2 min read
Image for post
Image for post

The Nano Foundation is passionate in the mission to see Nano widely used as a global digital currency. We understand that professionally conducted, independent security audits are essential to ensure the code and infrastructure related to the node meets the security requirements expected of a global currency.

The process of securing an effective audit of the Nano protocol involved finding a reputable cybersecurity firm possessing sufficient knowledge of cryptography. In September 2018 we concluded that Red4Sec were sufficiently qualified to provide these services and contracted them to conduct a full audit of the Nano protocol and consensus algorithm. The following details provide a summary of the first security audit performed on the Nano node source code.

Audit Process

The audit process was carried out between October 24th and November 30th and included three main components:

  • Nano Cryptographic Assessment
  • Network Performance Analysis
  • Source Code Audit

The Nano Foundation received a comprehensive 43-page report in early December. The report contained a total of one vulnerability classified as High according to the CVSS (Common Vulnerability Scoring System) and an additional 2 informational notices along with other general analysis. No critical vulnerabilities were found in the protocol.

We are pleased to confirm that after conducting the security audit of the consensus code, no critical vulnerabilities were detected, proving Nano to be the most secure cryptocurrency we’ve tested — Diego Jurado, co-founder of Red4Sec

Vulnerability Resolution

After reviewing the report, the team planned an update to resolve the only vulnerability identified which was included in the V17.1 release on January 21st:

Improper Validation of Array Index — The use of an array was detected without the proper checking of limits. After review of the source code, it was determined to be related to a third party library (lmdb v0.9.21) not being the latest version, which properly patches the vulnerability.

This fix was included in V17.1 with the following pull request:

Full Report

Red4Sec has been able to determine that the overall security level of the asset is optimal

View the full Red4Sec report

The Nano Foundation is pleased with the results contained in the Red4Sec report. The completion of this audit helps confirm that the development of the Nano protocol is carried out responsibly, effectively and with great care given to the security of the network and its users.

Nano

The best place for all of the latest Nano updates…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store