Audit report of Monero’s bulletproofs integration

Monero is a decentralized, open-source cryptocurrency that provides strong privacy protections thanks to state-of-the-art cryptographic components. Monero is deploying a new version of its protocol, using the “bulletproofs” NIZK proofs by Bünz et al.

The Monero community hired Kudelski Security to perform a security assessment of the new protocol’s implementation, which was expected to match an earlier Java prototype.

Today we publish our final audit report, which documents the security issues identified and our mitigation recommendations, as well as our general assessment of the bulletproofs implementation. We report:

  • 3 potential security issues of allegedly low severity
  • 8 observations related to general code safety, which we noticed in bulletproofs implementations or in other component of the Monero code base.

That is, we did not find any major or critical issue in the bulletproofs implementation. In particular, we did not find any shortcoming that could be exploited by an attacker.

That said, having spent approximately 75 hours on the project, we would like to stress that further analysis could well uncover dangerous code execution paths which we were unable to follow due to limited time. The faults which we observed indicate that further QA should be spent on the implementation. For example, the code base would likely benefit from additional fuzz testing.

The audit was lead by Dr. Jean-Philippe Aumasson, VP Technology, jointly with Yolan Romailler, Cryptography Engineer. We would like to thank the Monero community for trusting us.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s