All Published Audits

January 2020

Lisk Project: Protocol Design + Implementation, January 2021 (report)

November 2020

Ethereum Foundation’s ethdo, November 2020 (report)

October 2020

Tezos Foundation’s Beacon SDK, October 2020 (report)

Centrifuge’s Tinlake 0.3.0, October 2020 (report)

September 2020

Tezos Foundation’s Atomex: Core Library + Desktop Client – Report

Ethereum Foundation’s ethdo, November 2020 (report)

June 2020

Tezos Foundation’s Taquito – Report

Protocol Labs’ Gossipsub v1.1 Protocol Design + Implementation – Blog Post | Report

May 2020

Tezos Foundation’s TezosKit – Report

April 2020

Centrifuge Chain – Report

Centrifuge’s Tinlake Contracts + Actions – Report

March 2020

Ethereum Foundation’s Ethereum 2.0 Specifications – Report

Tezos Foundation’s BTG Pactual ReitBZ Token + Token Management Dashboard – Report

Tezos Foundation’s TzBTC – Report

ChainSafe Systems’ Utility Libraries – Report

ConsenSys AG’s MetaMask Plugin System + LavaMoat – Report

TRON Protocol – Report

2019

Five Security Audits for the Tezos Foundation, April 2018 – March 2019 (blog post)

- Audit 1: Tezos Protocol (report)
- Audit 2: Tezos Foundation Vesting Smart Contracts (report)
- Audit 3: Galleon Wallet Developed by Cryptonomic (report)
- Audit 4: Ledger Applications Developed by Obsidian (report)
- Audit 5: TezBox Wallet by Stephen Andrews (blog post | report)

Cosmos Blockchain SDK Framework, January – February 2019 (blog post | report)

MetaMask Mobile Application, April 2019 (report)

Onion Routed Cloud (ORC), April 2019 (report)

Blockstack Stacks Investor Wallet, May 2019 (report)

ProgPoW Algorithm, September 2019 (report)

Ethereum Foundation’s Node Discovery Protocol, October 2019 (report)

Nervos Network, October 2019 (report)

ConsenSys AG’s MetaMask Permissions System + CapNode, December 2019 (report)

2018

FundRequest’s ICO Smart Contracts, February 2018 (blog post | report)

BEAM’s Mimblewimble Implementation, November 2018 (blog post | report)

Zcash Overwinter and Sapling, February – December 2018 (blog post)

Audit 1: Zcash Implementation Analysis (1.0.15) and Overwinter Specification Review (report)
Audit 2: Zcash Overwinter+Sapling Specification (report)
Audit 3: Sapling Implementation / RPC Interface (report)

2017

GNU libmicrohttpd (via Mozilla Secure Open Source Fund), June 2017 (blog post | report)

KnotDNS (via Mozilla Secure Open Source Fund), September 2017 (blog post | report)

Melonport, December 2017 (blog post | report)

2014 - 2015

SpiderOak’s Crypton Framework, February 2014 (blog post)

Cryptocat Chat Program (via Open Tech Fund), April 2014 (blog post | report)

Globaleaks Whistleblowing Platform (via Open Tech Fund), June 2014 (blog post | report)

Ethereum Incentive Analysis, June 2015 (blog post | report)

Contact Us

Have a question about the security of your blockchain project? Send us a message and someone from the security team will get back to you within 48hrs.

FAQ

Most frequently asked questions and answers.

How long does an audit take?

An average audit takes about 2-6 weeks. However, the timeline depends on many factors, including your schedule requirements, the scope of the project and the availability of our engineers who are best suited for each audit. After an initial call, and once we have the information we need, we will send you a proposal within a week. The proposal will have scope details, areas of concern, and a potential schedule, along with the cost of the audit.

Has Least Authority done a security audit for a project similar to my own project?

Most likely, yes. Take a look at our security audit reports or contact us.

May we publish the audit results?

Yes! The final report is for you to share (or not share) however you wish. With your permission, we may also publish it on our website.

The choice to publish the final report to a public audience is entirely up to you. Least Authority only speaks publicly about the projects that we have permission to do so. Some clients see the audit as a good opportunity to inform public stakeholders about their efforts to improve the security of their projects and we encourage this. However, we respect the choice that oOther clients may prefer that their security audit process be kept entirely confidential.

In some cases, we may continue to collaborate with you to share knowledge with the larger community. This could be a blog post, a coordinated release, or other forms of informing stakeholders, like our panel discussion about the ProgPoW audit at DevCon5.

Can you give us a basic idea right now about how much a security audit costs?

No, this is not a simple calculation since the scope of our audits and needs of our clients vary greatly. However, with a few important pieces of information we can usually get a proposal, including cost, to you within a week. We do our projects based on a fixed fee and invoice our clients on project deliverables, rather than offeringuse estimates and invoicinge for time spent.

How long does our company have to respond to the initial security report?

Since the initial report brings attention to the vulnerabilities in the code, we recommend that clients resolve the issues as soon as possible to quickly bring confidence to their stakeholders, especially any users of the system. Significant changes to the codebase usually happen over time, so delays could render the audit results obsolete.

We have found, however, that nearly all of our clients manage to address the issues found (that they intend to fix) within 90 days of the delivery of the initial audit report. So, we set the maximum time we wait for responses to the initial report to 90 days, as explained further in the questions below.

What if the initial report shows vulnerabilities that we can’t or won’t resolve?

In the event that you do not resolve critical security/privacy vulnerabilities in software prior to the release of the final audit report, Least Authority will note that the issues and suggestions remain unresolved.

Spec & White Paper Reviews

Penetration Testing & Red Team Activities

Security by Design Consultation

Source Code Audits

Network & Traffic Analysis

Mechanism & Incentive Design

Decentralized Systems Architecture

Blockchains, Cryptocurrencies & Distributed Ledgers

Audit Process

1

Schedule a call

We learn about your security needs and tell you about how we work.

2

Get a quote

We’ll prepare a project proposal, including a timeline and budget.

3

Conduct the audit

Our team of security researchers work with you to improve the security of your product.

4

Review findings

Based on our recommendations, we support your team to address the issues identified.

5

Finalize report

We verify the security issues that have been addressed and deliver a Final Report (publishing optional).

FEATURED AUDITS

Ethereum 2.0 Specifications

March 2020 –The Ethereum Foundation has requested that Least Authority perform a security audit of the Ethereum 2.0 Consensus and Networking specifications. Ethereum 2.0, a Proof of Stake (PoS) / sharded protocol, is a major network upgrade that is set to take place in 3 distinct phases: Phase 0 – Beacon Chain, Phase 1 – Shard Chains, and Phase 2 – Execution Environments. This audit is to be performed as in preparation for the Phase 0 mainnet launch in April 2020.

ProgPow Algorithm

September 2019 – Ethereum Cat Herders, Ethereum Foundation, and Bitfly have requested that Least Authority perform a security audit of ProgPow, a Programmatic Proof-of-Work (PoW) algorithm to replace Ethash, in order to verify the security of the algorithm and provide clear metrics about its performance.

MetaMask Mobile Application

April 2019 – MetaMask has requested that Least Authority perform a security audit of their mobile application, a wallet and developer tool for applications built on Ethereum. MetaMask allows users to browse the web and interact with Ethereum applications, sign messages and transactions, and securely manage and store their private keys and assets.

Five Security Audits for the Tezos Foundation

March 2019 – We are happy to release the results of the five security audits that Least Authority performed in 2018 for the Tezos Foundation, a Swiss non-profit organization that supports Tezos, a distributed, peer-to-peer, permissionless network, and the community around it. This series of security audits were done as part of the Tezos Foundation’s effort to improve the security of the Tezos protocol and greater ecosystem.