In the world of state-of-the-art technology, any reputable development team will have their code audited by an external tech auditing firm in order to make sure there are no potential weaknesses. As has been shown in recent months with other projects (such as Poly Network), even tiny flaws in code can be exploited and millions of dollars can be lost as a result, not to mention the ruined credibility of a project.
Mina Protocol currently has 3 main wallets options and all three, Auro, Clorio and Staking Power have undergone extensive audits by Least Authority. I thought it would be interesting to find out exactly what is involved in an audit, so I spoke to Shane Farrell from the company to find out more…
How did Least Authority start?
Least Authority was started in the U.S. in 2011 and in 2016, the company relocated to Berlin. We are a technology company supporting people’s right to privacy through security consulting and building secure solutions.
How long have you been working for the company personally?
I have been with Least Authority since March 2021.
How many audits per year does the company do?
We just completed our 100th audit in July and we have over 70 audit reports published on our website. We have seen an increase in demand for security audits over the past few years and have steadily expanded our team. To date, we have completed over 40 security audits this year, which exceeds the total number of security audits we completed in 2020.
Is there a standardised way to audit a piece of software ?
We do not adhere to a single standard for conducting a security audit as our approach needs to vary, just as the design and development of software varies. Although some projects have similarities, every project (technology and language) requires different skills and approaches.
We conduct manual reviews and analysis of code and utilize tools insofar as they support our ability to identify security risks in any particular security audit project. We do, however, have a standard methodology that is applicable for all of our security audits. For example, in manually reviewing all of the code, we look for any potential issues with code logic, error handling, protocol parsing and misuse of cryptography. We also watch for areas where more defensive programming could reduce the risk of future mistakes and speed up future audits.
Although our primary focus is on the in-scope code, we examine dependency code and behavior when it is relevant to a particular line of investigation.
Further details about our methodology is available in the relevant section in each of our published audits. We encourage anyone interested in a security audit or other security consulting services to get in touch to see how we can help.
Is there a common security issue that is often found in crypto wallet audits?
There are several, including, but not limited to:
- The use of suboptimal function or parameters to derive a key from a password. It is generally preferable to use Argon2 or scrypt, and to look up current recommendations for parameters.
- Too much “creativity” in the encryption of data at-rest: we recommend using sodium or AES-GCM, and note that people should be careful with the nonce or IV (this is especially important with AES-GCM).
- In mobile wallets there is often no prevention of screenshots and screen recordings. This can lead to secrets leaking to other apps.
- And many wallets have encouraged copying the mnemonic to the clipboard. The clipboard can be watched by other apps/programs running, so it’s not a secure place.
How long does it usually take to do an audit for eg, a crypto wallet?
Typically, wallet security audits take an average of 4 – 7 weeks, depending on size and complexity.
What other things do you audit in the world of cryptocurrency?
The Least Authority team has reviewed implementations of cryptographic protocols, including Zero Knowledge Proofs (ZKPs) and zk-SNARKs, along with distributed system architecture, including in cryptocurrency, blockchains, payments, wallets, and smart contracts.
Your readers might also be interested in taking a look at our published audits.
What kind of qualifications do you need to work for Least Authority?
There are no required qualifications that apply to all roles at Least Authority. As you can see on our careers page, we have technical and non-technical positions available, and each role has its own requirements.
What I will say is that it is very important to be aligned with our values and our mission of supporting people’s right to privacy through our work. Individuals interested in joining Least Authority should also be prepared to work remotely with a team across multiple time zones and to be eager to learn. We work in an exciting and fast-paced environment, and we need team members who thrive in such an environment.
What is the best thing about working for Least Authority?
I have to name three: the people, our values, and the technology we work on. Our team is diverse, highly motivated and personable. People are passionate about the work they do, generous with their time in supporting others, and fundamentally respectful. We have a very unique company culture, which makes it very special. Moreover, we are committed to the open source and privacy-respecting communities that we are part of, and support people’s right to privacy through our products and our community contributions.
The other thing I just have to mention is how exciting the technology is that we work on. Of relevance to the Mina ecosystem, we are doing some fascinating auditing work on ZKPs. Earlier this year we released a Whitepaper on Zero-Knowledge Access Passes and are currently working on the MoonMath Manual, which is a guide to zk-SNARKS designed for a broader audience with only minimal experience in cryptography and programming.Find our more on www.leastauthority.com
We are not qualified brokers/dealers, or investment advisors. This website and its associated content is not a service for the giving or receiving of financial or investment advice. None of the content constitutes – or should be understood as constituting – a recommendation to enter in any securities, cryptocurrency, or cryptoasset transactions or to engage in any of the investment strategies presented in my discussions or content provided. We do not provide personalised recommendations or views as to whether a stock, cryptocurrency, cryptoasset or investment approach is suited to the financial needs of a specific individual.