Ambrosus is a blockchain company aiming to optimize supply chain visibility and quality assurance in the food and pharmaceutical industry. Pro-active in their safety and security they announced that Ambrosus Passes Second External Security Audit. This is a significant proof of transparency that we feel many more blockchain companies should follow.
Ambrosus Passes Second External Security Audit
Angel Versetti 27/02/2019:
During the past month, the Ambrosus Network underwent the second comprehensive security audit from third party security tester, this time from Hacken. The audit involved a security assessment for the core node code-base and NOP script, as well as network penetration testing for the larger Ambrosus network infrastructure as well as the different nodes and tools involved. The underlying goal of this audit was to identify the progress and development of the Ambrosus Network as well as its aptitude to externally onboard participants into the ecosystem.
Below is an overview of the core facets of the audit, as well as the main results:
What Was Audited?
The entire Ambrosus Ecosystem was scrutinized in this audit. These tests were comprehensive in their breadth insofar as they individually simulated external attacks through the Hermes, Apollo, and Atlas Nodes, as well as through access to the core API.
In relation to the Crypto-Economic Infrastructure, the following was audited or analyzed:
- All Crypto-economic specifications against potential threats.
- Analysis of the impact of potential hash collisions.
- Analysis of the mechanism to upgrade nodes.
- Review of the Node Onboarding Procedure and Analysis of Threats during its Deployment.
Testing of the Crypto-Economic Infrastructure Included:
- Testing Traffic Between Nodes
- ‘Fuzzing’ All API’s
- Web Penetration Test from the Hermes Administrator Position
- Network Discovery and Scanning of the Nodes
In relation to the broader Infrastructure of AMB-NET the following tasks were also included in the audit:
- A comprehensive test and review of the token generation mechanism.
- An Analysis of the KYC Process
- A thorough Audit of the Private Key Storage Process and its overall security state.
- A Manual Code review for the immutability of data
- Analysis of the Implementation of Cryptographic Elements
Further Penetration Testing of the Broader Network Infrastructure Included the following tasks:
- Testing against deserialization vulnerabilities.
- NoSQL Injection Testing
- DDoS Simulation
- Auto-Scanning of the codebase and manual review of auto scanner findings.
Results and Next Steps:
Overall, the test was seen as a success insofar as the Ambrosus Network passed all penetration tests and analyses without any network-threatening or large-scale failures. The code was evaluated as being of very good quality, and all nodes and tooling tested functioned as originally planned.
The audit also revealed a select few ‘medium level’ issues related to the security of the core blockchain protocol. More specifically, these tests revealed particular vulnerabilities of the network when simulated through certain amounts of traffic, and under situations of high network usage. Additionally, for extra security we have decided to also build a multi-signature smart contract controlling the core operations of the networking such as onboarding of nodes and setting the bundle price, strengthening the security of the network in the short term and also setting the groundwork for decentralising the governance of our network down the road.
While Ambrosus Developers have already begun to fix these issues, the notable challenge pertains to ensuring that once the issues have been resolved, future issues of similar caliber will not arise. It is for this reason, that the developer team has extended the current timeframe for the external onboarding of masternodes to main-net. In direct terms: the quality of the entire Ambrosus network cannot be compromised, and it is a higher priority for the team of developers to ensure that quality, instead of releasing potentially vulnerable code at an earlier time. Altogether, while development of the Ecosystem continues across the different developer teams, a specific focus and additional time is required to thoroughly verify and confirm that the fixes to the medium level issues have been resolved.
Overall, Ambrosus is pleased with the quality of work from Hacken and the result of the audit: the few minor issues have already been fixed, and the code level was evaluated to be of very high quality after the audit. While more work is needed, the third party audit is a huge confirmation of the growth and development of AMB-NET up to this point, and a real testament to the long days and hard work done by the different Ambrosus Developer teams. Further updates on the progress of the various developer teams, will be posted monthly to illustrate the improvements made to the network.