We are happy to release the results of the five security audits that Least Authority performed in 2018 for the Tezos Foundation, a Swiss non-profit organization that supports Tezos, a distributed, peer-to-peer, permissionless network, and the community around it. This series of security audits were done as part of the Tezos Foundation’s effort to improve the security of the Tezos protocol and greater ecosystem.

Audit 1: Tezos Protocol

Least Authority reviewed the Tezos protocol project codebase as part of the overall effort to prepare the protocol for its 2018 betanet and mainnet launches. Although this review followed a previous review of the OCaml codebase which had been undertaken by Inria, the results of their security audit were not disclosed to our team.

Our security audit was performed from April 16 to May 16, 2018, by Jean-Paul Calderone, Emery Rose Hall, Ramakrishnan Muthukrishnan, James Prestwich and Dominic Tarr. We identified four issues and two suggestions, in addition to highlighting three areas of further discussion including fuzzing, the Tezos self-compiler, and secure handshakes – all of which are outlined in detail in the final audit report.

The report was initially delivered on May 18, 2018 and an updated report following an initial verification was delivered on December 14, 2018. A final report following a secondary verification conducted based on the responses provided by the Tezos Foundation (Tezos Foundation Comments on the Least Authority Protocol Security Audit Report, 26 February 2019) was issued on March 14, 2019.

Audit 2: Tezos Foundation Vesting Smart Contracts

Shortly after completing the protocol review, the Least Authority team, in partnership with the Robur team, performed a security audit of the Tezos Foundation’s Vesting Smart Contracts, in which feedback was provided on the vesting contracts, the Michelson implementation, and the Tezos Foundation implementation. During this audit, three main security issues were identified and a series of suggestions were made as it relates to documentation inconsistencies.

The security audit was performed from June 8 – 14, 2018, by Johan Kjaer and Hannes Mehnert of the Robur team with support from Ramakrishnan Muthukrishnan of the Least Authority team. The initial report was issued on June 14, 2018, and an updated report following verification was delivered on December 14, 2018. A final report following a secondary verification conducted based on the responses provided by the Tezos Foundation (Tezos Foundation Comments on the Least Authority Vesting Smart Contracts Audit Report, 26 February 2019) was issued on March 14, 2019.

Audit 3: Galleon Wallet Developed by Cryptonomic

In June 2018, Emery Rose Hall and Dominic Tarr of the Least Authority team performed a security audit of the Galleon Wallet, a Tezos wallet, developed by Cryptonomic. Built in JavaScript using React and Electron, the wallet files and keys, encryption and decryption, and coordination with the backend systems, including Conseil and the Tezos node, is managed by Conseil.js, a Typescript-based client side library.

The audit took place from June 11 – 19, 2018, reporting eight security issues and making one suggestion to the development team at Cryptonomic. The initial report was issued on June 19, 2018 and, following discussion and verification, a final report was issued on July 13, 2018.

Audit 4: Ledger Applications Developed by Obsidian

Least Authority performed a security audit of the two applications for the Ledger Nano S Hardware Wallet, written in C with a CLI interface and developed by the team at Obsidian Systems.

The Tezos Ledger Baking Application’s purpose is to passively sign blocks and endorsements for a given baker with a given key, while the Tezos Ledger Wallet Application is responsible for sending and receiving tokens from the Ledger and delegating baking and voting rights to another key.

The audit was performed from June 18 – 22, 2018, by Ramakrishnan Muthukrishnan and Meejah from the Least Authority team. We identified seven security issues and made two suggestions to the team at Obsidian. The initial report was issued on June 22, 2018, and a final report was issued on July 24, 2018, following discussion and verification.

Audit 5: TezBox Wallet by Stephen Andrews

As the final audit in the series of 2018 Tezos reviews, Least Authority performed a security audit of the TezBox Wallet, used by the Tezos community and developed by Stephen Andrews. The audit was performed from August 6 – 13, 2018, by Emery Rose Hall. The initial report was issued on August 15, 2018. The final report was issued on September 11, 2018 following the discussion and verification phase. This report was initially released on February 7, 2019, and more information on the results can be found in a separate blog post.

Least Authority appreciates the effort by the Tezos Foundation team in both commissioning the audits and taking the time to provide thorough responses to the issues identified in our reviews. In addition to continuous audits on future iterations of the codebase, we recommend that there be further analysis of the unresolved and partially resolved issues and suggestions in the reports and that they are addressed promptly. At Least Authority, we strongly encourage that audit results are responded to in a time sensitive manner, in order to achieve an optimal outcome for our clients and the community utilizing their technology and tools. Greater security is achieved and risks to the end users are decreased if security vulnerabilities are discussed, addressed, and verified with as little delay as possible.