Nano Protocol Security Audit Results

Summary and Full Red4Sec Report

The Nano Foundation is passionate in the mission to see Nano widely used as a global digital currency. We understand that professionally conducted, independent security audits are essential to ensure the code and infrastructure related to the node meets the security requirements expected of a global currency.

The process of securing an effective audit of the Nano protocol involved finding a reputable cybersecurity firm possessing sufficient knowledge of cryptography. In September 2018 we concluded that Red4Sec were sufficiently qualified to provide these services and contracted them to conduct a full audit of the Nano protocol and consensus algorithm. The following details provide a summary of the first security audit performed on the Nano node source code.

Audit Process

The audit process was carried out between October 24th and November 30th and included three main components:

Nano Cryptographic Assessment

Network Performance Analysis

Source Code Audit

The Nano Foundation received a comprehensive 43-page report in early December. The report contained a total of one vulnerability classified as High according to the CVSS (Common Vulnerability Scoring System) and an additional 2 informational notices along with other general analysis. No critical vulnerabilities were found in the protocol.

We are pleased to confirm that after conducting the security audit of the consensus code, no critical vulnerabilities were detected, proving Nano to be the most secure cryptocurrency we’ve tested — Diego Jurado, co-founder of Red4Sec

Vulnerability Resolution

After reviewing the report, the team planned an update to resolve the only vulnerability identified which was included in the V17.1 release on January 21st:

Improper Validation of Array Index — The use of an array was detected without the proper checking of limits. After review of the source code, it was determined to be related to a third party library (lmdb v0.9.21) not being the latest version, which properly patches the vulnerability.

This fix was included in V17.1 with the following pull request:

Full Report

Red4Sec has been able to determine that the overall security level of the asset is optimal

View the full Red4Sec report

The Nano Foundation is pleased with the results contained in the Red4Sec report. The completion of this audit helps confirm that the development of the Nano protocol is carried out responsibly, effectively and with great care given to the security of the network and its users.