Beam Security Analysis
We are proud to announce that SmartDec has performed a second security audit of Beam blockchain. It is a pleasure for us to work with such an innovative project. The first audit report can be found here.
In this report, we consider the implementation of Lelantus protocol for Beam blockchain project. Our task is to check if the implementation of the protocol conforms to the specification and if the implementation is secure.
The security of the protocol itself is out of the audit scope.
Disclaimer
The audit does not give any warranties on the security of the code. One audit cannot be considered enough. We always recommend proceeding with several independent audits and a public bug bounty program to ensure the security of the code. Besides, security audit is not an investment advice.
Summary
In this report, we considered the implementation of Lelantus protocol. We performed our audit according to the procedure described below.
The audit showed that the implementation of the protocol conforms to the specification.
Also, several issues of low severity were found in the code. None of them endanger the project’s security.
The developer provided the comments for these issues as well as for some details of the implementation. We placed them in the report.
General recommendations
The low severity issues found in the report do not endanger the project’s security. However, we recommend fixing them to avoid problems in the future versions of code.
Procedure
In our audit, we consider the following crucial features of the code:
- Whether the implementation of the protocol conforms to the specification.
- Whether the code is secure.
- Whether the code meets best coding practices.
We perform our audit according to the following procedure:
Automated analysis:
- we scan project’s code base with SmartDec Scanner
- we manually verify (reject or confirm) all the issues found by tools
- we run tests and check their coverage
Manual audit:
- we inspect the code and revert the initial algorithms of the protocol and then compare them with the specification
- we manually analyze the code for security vulnerabilities
- we assess overall project structure and quality
Report:
- we reflect all the gathered information in the report
Project overview
Project description
In our analysis, we consider Lelantus protocol specification and Beam project’s code on Git repository, commit 33334578bb879044281b83c88ac09de142211fe8.
Project architecture
For the audit, we were provided with a git repository. The project has tests and specification.
The scope of the audit included:
lelantus.cpp/lelantus.h (complete)
shield.cpp (complete)
ecc_native.h, ecc.h (partial)
ecc.cpp (partial)
- void MultiMac::Calculate(Point::Native& res) const 1435
- void SignatureBase::SignRaw(const Config& cfg, const Hash::Value& msg, Scalar* pK, const Scalar::Native* pSk, Scalar::Native* pRes) const 2343
- void SignatureBase::Sign(const Config& cfg, const Hash::Value& msg, Scalar* pK, const Scalar::Native* pSk, Scalar::Native* pRes) 2336
- void SignatureBase::CreateNonces(const Config& cfg, const Hash::Value& msg, const Scalar::Native* pSk, Scalar::Native* pRes) 2314
- void SignatureBase::SetNoncePub(const Config& cfg, const Scalar::Native* pNonce) 2304
eccbulletproof.cpp (partial)
- void InnerProduct::BatchContext::AddCasual(const Point::Native& pt, const Scalar::Native& k, bool bPremultiplied /* = false */) 68
- void InnerProduct::BatchContext::AddPrepared(uint32_t i, const Scalar::Native& k) 88
- void InnerProduct::BatchContext::AddPreparedM(uint32_t i, const Scalar::Native& k) 93
Full version of the security report
This is the short version of the report. The full version of the report can be found here: Beam Security Audit by SmartDec.
This audit was performed by SmartDec, a security team specialized in static code analysis, decompilation and secure development.
Feel free to use SmartCheck, our smart contract security tool for Solidity and Vyper, and follow us on Medium, Telegram and Twitter. We are also available for smart contract development and auditing work.
