Wavelet: Security Audit

Unraveling the blockchain that scales and escapes the wrath of security auditors

Published in

PERL.eco

7 min readJul 17, 2019

31,240 payment transactions being processed per second over 240 consumer-grade nodes, and full WebAssembly support for building smart contracts; backed by the first ever secure leaderless proof-of-stake protocol.

That’s Wavelet! Thanks for reading! Like, share, and subscribe for more quality content!

But seriously, what’s special about this?

To understand this feat, we need to look at the current market and the flaws that plague it.

Cryptocurrency has always been faced with mixed opinions. Some see it as the world’s future currency while others see it as a scam. This is money we’re talking about and not everyone is willing to just accept a relatively new concept for it.

Is it easy to use? Is it secure? Is it fast? Can anyone and everyone use it?

These are just a few questions that flies within the nonbelievers, and blockchain companies use different methods to nullify their doubts. The most popular methods are proof-of-work and proof-of-stake.

Current Methods and their Problems

Proof-of-work

Protocols that utilize proof-of-work involve someone to prove that they put in a lot of effort, hence the name.

A miner would use computational power to create a block, whose hash has a number of prefixed zero bits, using a cryptographic hash function, and put it on top of the longest chain of blocks sprouting from a genesis block.

The number of prefixed zeroes required is determined by the currency’s protocol. The more prefixed zeroes, the higher the computational power requirement.

The longest chain is preferred because the longer the chain, the larger the computational power used. The larger the computational power used, the harder it is to reverse/manipulate the chain, making it much more trustworthy.

However, there are problems with this method.

Let’s say there are two chains sprouting from a genesis that are equal in length, but you want to put your block on the longest chain. What do you do? Well, what ends up happening is… wait for it… nothing.

Nothing happens until one chain becomes longer than the other, or you come across another chain that is longer than both, and then you can finally link your block to the chain.

There could be several chains that are of equal length and until you come across one chain that is the longest, nothing happens.

This is a lot like evolution, and it can take just as long.

Furthermore, computational power is what determines dominance.

If you have enough computational power, you can artificially make the longest chain, forcing other miners to link to your chain and claim dominance and bragging rights for yourself.

Feel free to buy millions of computers to assert dominance (give me a share since I suggested this to you).

This contradicts the decentralized ideals cryptocurrency was built upon as it makes everyone centralize upon a single person, or group, which could lead to fraudulent behavior.

Proof-of-stake

As an alternative, proof-of-stake involves an election process among validators where one is randomly selected to validate and mint the next block.

You don’t mine blocks here, you mint them instead (a minor terminology change).

To become a validator, you deposit an amount of currency as stake, hence the name.

Although the election process is random, you can increase your chances of getting selected by staking a higher amount.

If you get selected, you get to mint the next block in the chain.

Now the problem with this is that the next block is determined by, in layman’s terms, a stranger.

Sure, there is some trust in the validators due to there being penalties for fraudulent activities. However, will their judgment be optimal?

In a way, if you are not a validator, your fate is determined by a small group of people who are like leaders (doesn’t this circumstance sound familiar?).

What if the validators can’t make the correct choices? What if the validators make mistakes?

Just watching what has been going on in today’s politics shows that a mistake made by small, incapable groups responsible for much larger groups can lead to dire consequences.

This can apply to the proof-of-stake system as well, with your money on the line.

The Alternative?

We have proof-of-work, which can be slow and centralized. On the other hand, we have proof-of-stake, where your fate is determined by someone else.

None of the two options promise the security and scalability they claim, and that’s what Perlin emphasized on when developing the high-quality distributed ledger, Wavelet, that provides developers an easy and comfortable environment to create and deploy powerful applications.

The Reliability of Wavelet

Wavelet aims to tackle the flaws faced by the current market, with heavy emphasis on security and scalability.

To prove that Wavelet is as good as we say it is, we engaged the Dag-One team, a group of highly proficient security auditors that only review the most promising companies in a confidential manner.

They performed extensive tests and code reviews prior to the Wavelet Beta launch. Their overall evaluation was positive with them stating:

“During the audit of the Wavelet code base, we uncovered only a single major issue, which was quickly identified and fixed by the Wavelet development team, as well as a small number of minor issues. The overall results are excellent and this can be largely attributed to the use of a relatively safe high-level language, re-use of audited libraries, and careful planning on the part of the developers.”

Through their auditing process, the Dag-One team discovered 1 critical, 2 medium, and 2 low priority issues.

All important issues were resolved swiftly, with the remaining, less important issues soon to follow. For a more detailed rundown of what they found:

Ledger ordering error allows for minting new coins — Critical (Resolved)

Due to the way transactions are ordered, sending PERLs from one’s own account to the same account results in the received amount being added to the account’s balance before the sending is deducted.

Unbounded allocation — Medium (Resolved)

Messages received by a peer are unbounded with respect to their length, yielding a potential DoS attack vector.

Dependencies at risk — Medium (Soon-to-be resolved)

Wavelet has a large total number of dependencies, some of these dependencies appear to have very little activity and may be at risk of becoming unmaintained.

Denial of Service — Low (Soon-to-be resolved)

Building a tree of transactions which depend on transactions which have been pruned but not synced on some nodes lead to those nodes being unable to get the updated version of the ledger.

New wallet private keys created are world-readable — Low (Soon-to-be resolved)

The development tool “wallet-cli” creates wallet files containing private keys with mode 0755, which is world readable.

In spite of a thorough and nitpicky audit, the auditors only found subtle, non-problematic issues, and ended off the review complimenting the core dev team for the amount of work that has been put into Wavelet.

The Fight Against Fraudulent Elections

Furthermore, the Dag-One team recreated scenarios of fraudulent behavior and tested the outcomes from the system.

They reported and illustrated their finding in the form of graphs, which are shown below.

The graphs above show different percentages of the network stakers refusing to vote. Whether the no-voters are a majority or a minority, transactions made by nodes still got finalized.

This keeps stakeholders with malicious intent at bay. If they try to manipulate the system through sheer numbers and/or by not participating in the vote, they will not succeed.

Through this, the flaw with current proof-of-stake system is eliminated as one cannot manipulate the transactions and capitalize on fraudulent behavior easily.

This allows for a much more secure and leaderless system in Wavelet, which is not present in other systems.

For more information on the security audit and Wavelet, click here

To SS rank and beyond

With our emphasis on security and scalability, our community can confidently utilize our solutions without fear of any potential security breaches or bugs.

Wavelet has been made to be a powerful ledger that is more than ready for the public to get their hands on.

More security audits and peer reviews will be done as we approach main-net to show just how powerful, safe, and secure our ledger infrastructure is.

Try out the Wavelet beta now:

Wavelet
Documentation
Build a Decentralized Chat on Wavelet Tutorial

As always, we want your honest feedback and constructive suggestions to help us refine Wavelet to perfection.

’Til next time,
Maikro~