Nano Protocol Security Audit Results
Summary and Full Red4Sec Report
The Nano Foundation is passionate in the mission to see Nano widely used as a global digital currency. We understand that professionally conducted, independent security audits are essential to ensure the code and infrastructure related to the node meets the security requirements expected of a global currency.
The process of securing an effective audit of the Nano protocol involved finding a reputable cybersecurity firm possessing sufficient knowledge of cryptography. In September 2018 we concluded that Red4Sec were sufficiently qualified to provide these services and contracted them to conduct a full audit of the Nano protocol and consensus algorithm. The following details provide a summary of the first security audit performed on the Nano node source code.
The audit process was carried out between October 24th and November 30th and included three main components:
- Nano Cryptographic Assessment
- Network Performance Analysis
- Source Code Audit
The Nano Foundation received a comprehensive 43-page report in early December. The report contained a total of one vulnerability classified as High according to the CVSS (Common Vulnerability Scoring System) and an additional 2 informational notices along with other general analysis. No critical vulnerabilities were found in the protocol.
We are pleased to confirm that after conducting the security audit of the consensus code, no critical vulnerabilities were detected, proving Nano to be the most secure cryptocurrency we’ve tested — Diego Jurado, co-founder of Red4Sec
After reviewing the report, the team planned an update to resolve the only vulnerability identified which was included in the V17.1 release on January 21st:
Improper Validation of Array Index — The use of an array was detected without the proper checking of limits. After review of the source code, it was determined to be related to a third party library (lmdb v0.9.21) not being the latest version, which properly patches the vulnerability.
This fix was included in V17.1 with the following pull request:
update lmdb submodule by argakiig · Pull Request #1563 · nanocurrency/nano-node
LMDB submodule updated to 0.9.23 includes ITS#8324 incremental DB file growth for Windows
Red4Sec has been able to determine that the overall security level of the asset is optimal
The Nano Foundation is pleased with the results contained in the Red4Sec report. The completion of this audit helps confirm that the development of the Nano protocol is carried out responsibly, effectively and with great care given to the security of the network and its users.