This spring, Coda Protocol concluded a security audit conducted by NCC Group, one of the world's leading cyber security service providers, to ensure the security and strength of our protocol. We are pleased to be able to share the report.
Based on NCC Group’s audit, no critical or major issues were found, and the common cryptographic issues uncovered have since been fixed.
The scope of NCC Group's evaluation included review of the following components:
- Overall Protocol Review
- Blockchain and Transaction SNARKs
- Compilation of Snarky to Rank-1 Constraint System (R1CS)
- Implementations of Snarky Primitives
- Elliptic Curves and Generators
- Ledger HW Wallet Implementation
The common cryptographic flaws pointed out by NCC Group are:
- Potential mishandling of point addition edge cases, which could result in provers being forced to create invalid proofs.
- In computers that used a legacy C++ standard library or could not access cryptographically-secure pseudorandom number generators, Schnorr secret key values are generated such that attackers with knowledge of the underlying system would likely be able to predict the secret.
Be sure to check out the report for a more detailed overview of findings and our team's response.