IOHK recently announced the results of an audit carried out by Kudelski Security for Icarus, described as “IOHK’s reference implementation for a lightweight wallet.”
Kudelski Security is a Swiss firm that provides “tailored cyber and media security solutions.”
In a forum post, the IOHK Team noted how outside audits are “critical” when it comes to finding security issues inside of the Icarus wallet that might have been missed in internal audits.
The audit by Kudelski took six person-days of work to carry out and cumulated in a report by the firm. The subsquent report spelled out three “low severity” security issues and 11 observations “related to general code safety.”
Working To Ensure A Secure Wallet
According to the 20-page report, IOHK gave Kudelski access to source code, documents, and review guidelines related to Icarus. Kudelski gave a brief overview of the security issues they found and spelled out some recommendations to mitigate the problems.
Each entry also featured a “Status” section that lists notes and feedback from developers at IOHK in response.
Kudelski made a point to say one issue identified in the first report was later removed for the final iteration because the auditors “misunderstood the expected functionality.”
For each of the findings, the IOHK team listed links to GitHub to show how they were acknowledged and responded to.
Audit Also Noted General Observations
The end of the report listed some observations that “are not security issues to be fixed.”
For example, one of them recommended the crypto library “could erase sensitive data” from the stack or heap memory after use.
The IOHK Team wrote in the forum post how Icarus is a “fully open source code base” that will be the “first step in a range of open source initiatives” so developers will have a set of tools for Cardano.
