Least Authority Audit of Auro Wallet Extension – full report

Least Authority have now completed their Audit of Auro Wallet Extension. The audit was commissioned by the Mina Foundation and you can download the full report here > The report has only just been published, so hopefully we can get some feedback from the developers in due course. You can read more about the Auro wallet here.

UPDATED 10 August 2021. I contacted Bit Cat (niuniu) via telegram to get some clarity on the items the audit pointed to as things that needed to be addressed (see below). As the developers Bit Cat received the full audit report some time before publication and were able to incorporate updates to the the following.

(Issue A) Our team closely evaluated the Auro background component, in which encrypted private keys are stored. It is apparent that the Auro Wallet team has considered security in the design of this component, as demonstrated by requiring sensitive data in the browser extension storage to be encrypted. However, under feasible preconditions, we found that the user password, which grants the user access to the wallet extension functionality and decrypts the sensitive data in the browser extension storage, can be retrieved from the memStore of APIservice.js. We recommend that the user password be cleared from memory upon each user lock out. 

This has now been updated

(Issue B) Furthermore, we found that the encryption library used to encrypt sensitive data stored in the browser extension uses a CPU-bound key derivation function, which could make low entropy user passwords brute-forceable. We recommend that a more secure key derivation function be implemented to protect against brute-force based attacks. 

This has now been updated

(Issue C) Auro UI – We examined all user input fields in Auro UI and potential vulnerabilities to Cross-Site Scripting (XSS) attacks. We also investigated the security features of the Auro UI and found that the input field Memo in the pages Send and Stake allow for a GraphQL injection. Although we did not identify any scenario that would result in loss of funds, we recommend adhering to GraphQL best practices in order to avoid GraphQL injections.

This has now been updated


Disclaimer
We are not qualified brokers/dealers, or investment advisors. This website and its associated content is not a service for the giving or receiving of financial or investment advice. None of the content constitutes – or should be understood as constituting – a recommendation to enter in any securities, cryptocurrency, or cryptoasset transactions or to engage in any of the investment strategies presented in my discussions or content provided. We do not provide personalised recommendations or views as to whether a stock, cryptocurrency, cryptoasset or investment approach is suited to the financial needs of a specific individual.