Monero’s Second Bulletproof Protocol Audit Gets All Vulnerabilities Patched Up
Monero developers seem to be working hard to make the Bulletproof protocol really live up to its name. After the security research company QuarksLab audited the Bulletproof protocol and announced its findings, the developers rushed to solve them all.
A total of 8 critical issues, two medium-impact ones and 20 small vulnerabilities were found during the security audit. Now, the company has already patched all the eight major issues that were harming the system and could represent problems if they were not patched out.
This was the result of the second audit commissioned by the Monero Research Lab with the help of the Open Source Technology Improvement Fund, Private Internet Access and the Monero community, which have all worked together to create this new protocol.
The first audit, which we reported on our blog, was made by Kudelski Security back in July 2018. At the time, the report affirmed that the code was largely clean and without issues, however, it had four small bugs. Most of the issues at the time derived from the implementation of the original Java code in C.
However, this new audit, which was led by three senior engineers, was considerably deeper and it found a lot of issues that seemed to escape Kudelski Security.
The Main Issues
The main issue that was found out by the second audit was one that could be used for denial of service attacks. This could lead someone to remotely crash the Monero nodes and cause a large DoS attack. The same vulnerability could also be used to make 51% attacks and could cause a chain split and double spend.
Unfortunately, the live code was also affected by this old issue, so the team had to halt the report and work to solve the code as fast as possible to avoid someone using the information to attack the Monero network. As soon as the issue was patched, the Monero Research Lab and QuaksLab resumed their work. Now the vulnerability is gone.
Four other major vulnerabilities could be triggered by untrusted inputs into the system and could be used to accept false proofs, but they were patched as well.
As part of the audit, QuarksLab made several suggestions for how people could improve code practices and make Monero better and ensure its better performance.
The Bulletproof Protocol
The Bulletproof protocol is a new version of Monero that will act as a zero-knowledge proof (ZK-Snarks) improvement tool. It was first proposed in December last year and its main goal is to make Monero faster and more stable.
With the help of this new protocol, users will now get significantly faster transactions while enabling the code to be more efficient and to verify the authenticity of the transactions without revealing who is making them, which is the main selling point of Monero.