Symbol from NEM completes Trail of Bits Security Audit

Launch on track for 14th January 2021

In another big step towards the launch of Symbol on 14 January 2021, Symbol has successfully completed a security audit carried out by Trail of Bits.  

The objective of the assessment was to engage external Blockchain security specialists to validate that the design and implementation of the Catapult code base for Symbol is secure. 

In June 2020 NEM Group and Trail of Bits began conducting a review of the security of the Symbol Core, API, REST and SDK components. An initial assessment took place in June 2020 of the underlying platform, a delta review in August after Finality completion and several specific reviews of issue fixes and patches occurred through to the end of 2020.

Trail of Bits we also engaged to consult on the Finality solution design, providing a senior cryptographer to both validate the design and review the implementation of our GRANDPA based Finality gadget.

The collaboration has now completed, the Core Developers and NEM Group accept the findings, and are very happy with the engagement with Trail of Bits in general. We look forward to working together closely in the future. 

The report concludes ‘that the Symbol repositories showed positive consideration for common classes of security vulnerability’ and Symbol actively completed the assessment by implementing recommendations provided by Trail of Bits.  

The completed security assessment from Trail of Bits represents another major milestone towards the successful launch of Symbol

Dave Hodgson, CIO of NEM Group, said ‘The completed security assessment from Trail of Bits represents another major milestone towards the successful launch of Symbol and demonstrates NEM Group’s commitment to the security and strength of the network. I am really pleased to be able to share the results with our Community.’.

For more detail on the assessment and to read the report in full

There is one Informational issue raised which is only partially implemented, this is because INFORMATIONAL in nature and the overflow cannot if all values are checked prior to operations inside the validators, the code implements these checks well before that point and as such protects from the scenario before an overflow could occur. Finally, Trail of Bits believes there may be latent data validation issues deeper within the system that could be exposed through increased dynamic testing

Leave a Reply

Your email address will not be published. Required fields are marked *