Audit report of the Waves platform

Waves is a blockchain-based tokenization platform that is something like Ethereum, on top of which you can issue your own token and build applications. Two main differences with Ethereum are that:

  1. Waves does not use a proof-of-word (PoW), but rather a proof-of-stake (PoS). This basically means that your chance to win the lottery-like game for transaction validation doesn’t depend on how much computing power you have, but only on how many Waves tokens you own. No Chinese coal is burnt in the process.
  2. Unlike Ethereum, Waves does not support smart contracts, which reduces possible functionalities, but also reduces the attack surface.

(Spoiler: in 2018 Waves plans to support some smart contracts, and Ethereum plans to deploy a PoS.)

Under the hood, the Waves node application—not talking of Node.js here—is written in Scala and is based on the Scorex framework by Alex Chepurnoy and Dmitry Meshkov, who presented related research results at Real-World Crypto 2017. The PoS is based on that of Nxt.

After meeting Waves’ CEO Sasha Ivanov at CTCrypt 2017, we agreed to perform a security audit of the Waves node application. We’re now releasing this report, which describes four issues rated medium-severity, and six issues rated low-severity. No critical nor high-severity issue was found. We believe that none of the issues found has posed a major risk to users—these issues mostly consist of security improvements and adoption of best practices.

The report is available here. We would like to thank Waves for trusting us, as well as Waves’ developers for promptly responding to all our requests.

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s