IOHK Releases Cardano’s Byron Reboot Third-Party Security Audit; 11 Vulnerabilities Found
- IOHK publishes potential vulnerabilities that are successfully resolved “to spur greater transparency and security across the industry.”
- Cardano has released the latest version of Daedalus which is the mainnet wallet for Cardano and is faster with several improvements.
Just before entering into this month, Cardano went live with its Byron Reboot, in preparation for its transition to the Shelley mainnet.
The Reboot that took 18 months to complete was made “from scratch” and included a series of updates to the Cardano network — the node, explorer, and Daedalus wallet backend. The new design as explained by IOHK, was
“modular, separating the ledger, consensus, and network components of the node, allowing anyone of them to be changed, tweaked, and upgraded without affecting the others.”
In Cardano’s aim to maximize decentralization on its network, the Byron reboot was one step which in itself wasn’t an event but more of a process.
Now, IOHK has published 11 potential vulnerabilities uncovered and successfully resolved as well during Phase 1 and 2 of the third-party audit of the Byron Reboot “to spur greater transparency and security across the industry.”
“It is vital that the blockchain industry lives up to its own vision of open and decentralized systems when it comes to the process of building blockchains,” said Cardano creator and CEO of IOHK Charles Hoskinson.
“Companies must not prioritize secrecy and speed to market over security because vast sums of money and even lives will depend on the software we produce.”
Potential vulnerabilities successfully resolved
As of April 20, 2020, the cybersecurity company root9B (R9B) found insecure Genesis Key Generation which has now been rectified by altering the code to use secure key generation.
Just like with genesis key generation, it was found the potential protocol incompletion and primitive usage of mock crypto was only for testing and not for production use, with real implementation forthcoming.
For code practice and potential resource usage/denial of Service (DoS), R9B confirms the changes fully address issues 2, 3, and 4.
When it comes to ADA wallet, Daedalus has been fully upgraded to the Byron Reboot Era and is now up for download, tweeted Hoskinson.
The brand new Daedalus is the mainnet wallet for Cardano. Built on the new Haskell codebase, this version brings advancements in stability, reliability, and performance along with improvements in connection, blockchain synchronization & wallet restoration speed, as well as reduced memory usage, shared IOHK.
Last night we announced our brand new Daedalus 1.0.0 mainnet wallet for #Cardano. Our best yet, it's a huge upgrade, faster and feature-rich. All built on the new Haskell codebase and featuring your feedback from our new Daedalus Flight program @cardano https://t.co/y0Uh1ojgU4 pic.twitter.com/2yJQjWElbr
— Input Output (@InputOutputHK) April 24, 2020
Root98 found weakened protection – CSP in Electron App but this configuration is used by IOHK until Chrome can evaluate WASM without it.
Also, Blake hash function was performed only once when applying a spending password, IOHK confirmed, “Daedalus frontend to Cardano wallet backend connection relies on TLS for password security in transmission and plans to phase out Blake hashing.”
IOHK is further planning to heed the potential future issue with payment URI for code that may encounter it and to replace the update process with a new one to be released in April 2020.
R9B has also accepted the resolution that addresses randomization is for port conflict-avoidance and that IOHK has removed the exposed surface including disabling the Monitoring Web Frontend in the configuration.
Lastly, the theoretical Denial of Service (DoS) vulnerability is expected to be fully resolved by the Ouroboros Praos private slot-leader schedule (Shelley).