Why an independent security audit is beneficial
As an Internet user, you use a variety of applications, and you may not even realize that your security is entirely dependent on the qualities of those applications. Under the term application, you can imagine an Internet browser, a chat client, a game, an email client, and many other things. These applications use different network protocols that use the TCP/IP infrastructure. In the case of cryptocurrencies, you use a wallet that communicates with other participants via the network protocol. You can send a transaction through your wallet. The transaction spreads to other nodes via the network protocol. The nodes must then agree on a mutual consensus via the network protocol and agree on whether your transaction is valid and can be included in the blockchain.
All user applications, as well as network protocols, must be secure enough to protect you from financial loss or other problems. User applications and network protocols are software. Under software, you can think of source code written in a programming language. The source code is written by programmers and these are just people who can make a mistake. Writing properly functioning and secure software is a very complex task.
Software development never begins by writing source code right away. At least not when you want high quality and reliability. People need to agree on what problem they want to solve and how they will proceed. High-level design is created first, followed by low-level designs and specifications for individual components and parts. In the case of a cryptocurrency, it is necessary to think about the blockchain, network protocol and consensus, user wallet, cryptographic tools, node, and many other things. Everything must work well when all parts are put together.
There are many well-described techniques for ensuring the security and high-quality of the written source code. The key is to have a good design from the beginning. The quality of the design is directly dependent on the quality and experience of the people in the team. In the case of Cardano, the team is full of very experienced scientists and developers. The team chose a good development methodology so that high-quality source code could be created. For example, this can be ensured by the developers checking each other's written source code and correcting any shortcomings found.
Each functionality can be implemented in different ways, and each developer is able to write code completely differently. Writing the source code of a program is largely an individual matter. Code review by the colleagues or many kinds of testing might be used to verify that the source code is correct and does exactly what is expected without unwanted side-effects. It is undesirable for errors and problems to appear after the network has launched since real users are threatened.
The techniques described above can be performed by the team themselves. However, there is a risk that the team will overlook or not think about something. Alternatively, they may not be aware of any hidden vulnerabilities. These risks can be mitigated through a security audit performed by an independent third party.
The goal of the security audits is to discover any vulnerabilities in the source code that an attacker could exploit to their advantage. The advantage of an external audit is that the source code is seen by another expert team who is interested in finding errors because it is well paid for it. From the users' point of view, it is also advantageous, because they might be sure that the quality of the code was ensured not only by the team but also by someone independent.
What Root9B audited and the results
As we have already said, Cardano has undergone an independent source code audit of the respected company Root9B (R9B). R9B had done a static analysis of the code. It means that they reviewed the source code without executing it. R9B tried to find common classes of vulnerabilities that might compromise the confidentiality, integrity, or availability of the Cardano software. R9B audited blockchain (ledger), Cardano node, Ouroboros network, crypto tools, and a few other parts. The output of R9B is a report that you can find on GitHub:
You can read the audit yourself. It is the file with the name IOHK Phase 1 and 2 Report.pdf. It is interesting and can be well understood probably only by IT specialists or programmers. There are a few minor findings and a description of a few theoretical vulnerabilities. The great news is that the R9B team has found no critical security vulnerability.
The IOHK team has responded to the audit to explain some findings in more detail or let R9B know about the steps that mitigated or resolved the issue. You can find the IOHK response in the file with the name Response to Root9B Audit Report.pdf. It was just an external review of the source code so all found issues could have been resolved in time. It means, before real usage in the Cardano public network. For example, the first found issue was about the insecure Genesis key generation. The IOHK explained to R9B that it is not a real issue since the affected code is used only within testing and it is not intended to be used in the public network. The IOHK team addressed and possibly fixed all issues that were relevant.
There was another last step in the whole process. R9B received the IOHK response and confirmed that the issues were addressed properly. You can find the mitigation verification in the file with the name Mitigation Verification April 2020 v2.pdf. R9B accepted and confirmed that the IOHK team addressed all findings properly.
The IOHK team will soon launch the Cardano decentralized main-net. It is therefore important to reassure all future users that the source code is secure. It must be said that a similar type of audit is very expensive and the IOHK team did not hesitate to pay for quality verification of the source code. This is not common in the crypto-world. Many projects do not have very good source code and it is very likely that many security flaws would be found if the external audit would be performed. A security audit is also a very good competitive edge for adoption projects by banks and institutions.