As promised, the Pirate Chain team has secured a code security review by an external third party. Reviews are part of the development process and occur occasionally to ensure that all parts of the code are scrutinized as much as possible.
Why Are Code Audits Important?
Making sure that the code functions as it should and has no security holes are critical development stages for any piece of software or hardware. Likewise, with blockchain it is important to have thorough reviews to ensure that hacks and double-spend attacks are impossible to achieve. So how many levels of audits does technology such as Pirate Chain undergo?
The list is fairly long so grab your tea, coffee or rum and read on... ☕
1. Internal Auditing
Before any release is made to the public the Pirate Chain team alongside community contributors audits the code over a period of weeks or months depending on the size of the change. This is a big part of the development of privacy and security software in general. Pirate Chain has elevated internal auditing to an even higher level by utilizing developers from a variety of different projects who try to break the code for bounties.
Only when this stage of auditing is complete, does the code get released to the public. This particular stage of auditing is the most important and most potent one. It is the most thorough, and it is completed by experts in blockchain security and zk-SNARKs cryptography who are few in the world.
2. Open Source Auditing
Whilst code audits are critical in other parts of technology, for open source projects the situation is very different. As the code is shared and publicly available it is also under a constant cycle of peer-reviews. This means that competent developers who are part of the wider community test the code for vulnerabilities on an ongoing basis.
This type of auditing ensures that Pirate Chain is one of the most widely audited and most secure privacy technologies to date.
3. Bad Actors
Governments, security agencies, law enforcement, blockchain tracing companies and other similar bad actors have a key interest in breaking down privacy technologies and restricting personal freedom. None of these bad actors so far have even hinted at the ability to trace or hack Pirate Chain technology. This cannot be said for most of the other so-called 'privacy coins' that have already been exposed to tracing.
4. Third-Party Audits
Occasionally alongside the above auditing stages, projects call for external companies to audit their code. Who conducts the audit is of great importance for reasons of specialization which are mentioned above. As few people understand blockchain in combination with zk-SNARKs cryptography finding such companies is not an easy process. In addition to being hard to find competent people, it is extremely costly and time-consuming as external companies have to set up many processes for a one-off review which internal developers use every day to ensure bulletproof security.
The Treasure Chest Wallet Audit
Jean-Philippe Aumasson is a world-renowned expert in cryptography, co-founder of Teserakt, and head of security of Taurus Group. JP holds a PhD from EPFL (2009) and has worked for many years in applied cryptography, security architecture, and cybersecurity. JP wrote the acclaimed books Serious Cryptography (No Starch Press, 2017) and has designed widely used algorithms such as BLAKE2 and SipHash. He has performed numerous security assessments for leading blockchain and cryptocurrency organizations. He has spoken at conferences such Black Hat, DEFCON, RSAC, CCC, and Infiltrate, about applied cryptography, quantum computing, and platform security.
The auditors reviewed the critical components of Treasure Chest’s wallet, looking for bugs in terms of cryptography and software safety. Most of the work consisted of manual code review, but they also used automated tools (cppcheck and clang analyzers), which did not report anything of interest. They focused on the Pirate-specific code, as opposed to the Zcash and Komodo parts.
At this stage, it should be noted that they did not cover side-channel risks (timing attacks, oracle attacks, heap/stack cleansing).
Furthermore, the goal of the audit was not to match the code against specifications or to assess the Pirate protocol design’s soundness. They also did not review third-party dependencies.
Are More Audits Needed?
The short answer is, yes. To complete this audit cycle of Sapling code, Pirate Chain needs to undergo one final external audit of its core code. To do this a total of $145,000 is required for cybersecurity experts Halborn to do the review. So far 32% of the total has been already raised.
To contribute to this audit, donate here: https://piratechain.com/donations/peer-review-code-audit/
You can read the security audit here.