NKN contracted Chaitin Technology Co., Ltd. to conduct a comprehensive security audit for the NKN blockchain project from December 20, 2019 to May 16, 2020, including 2 rounds of security review and remediation verification.

A total of 16 vulnerabilities have been identified through the complete security audit, including 5 critical 4 high 2 medium and 5 low vulnerabilities. 15 vulnerabilities have been fixed, while 1 (low vulnerability, details in appendix) remains unfixed.

With the successful completion of this audit, the security of the project is significantly improved and every functional module can be operated in a relatively safe and secure manner. This is a crucial milestone and prerequisite for NKN 2.0.

NKN core developers will continue to improve the security of NKN software, in partnership with 3rd party security experts and community developers.

Scope of audit:

NKN source code repository covered by this security audit:

  1. NKN core software
    1. https://github.com/nknorg/nkn
  2. NKN’s nnet P2P network stack
    1. https://github.com/nknorg/nnet

1st round security review version:

commit c4cee36ae36442470030ee514aef6841d38240ea

1st round remediation verification version:

commit 296b48b3deee64f1016beadc869ab25b1d21aaba

2nd round security review version:

commit 296b48b3deee64f1016beadc869ab25b1d21aaba

2nd round remediation verification version:

commit c3f225840511a6999ddc3d75587b4c6d8dfbb20d

About Chaitin Technologies

Chaitin Technologies is a world leading and technology driven cyber security solution provider, which released Next Generation Web Application Firewall (NGWAF) based on intelligence and semantic algorithms. Chaitin focuses on providing intelligent and simple next gen security solutions to enterprises.

The Security Service Group of Chaitin Technologies focuses on security audits and code review for leading software companies. 

https://www.chaitin.cn/en/

Appendix

4.1. Potentially unfair consensus competition due to port reusing in POR protocol (Severity: low)

4.1.1. Overview

To mitigate possible Eclipse attacks on the POR consensus network, NKN puts a “one ID per IP” policy that any IP address can only host at most one NodeID by fixing the target port of outbounding connections; However, it is still possible to bypass this limitation and host multiple NodeIDs on a single IP address by implementing a NodeID proxy with dedicated listener logic. 

(details omitted)

4.1.2. Status

Unfixed.

First, there’s no effective way to enforce the “one ID per IP” policy in the current NKN architecture.

However, according to NKN’s design philosophy, the only valid competitive resource for consensus is bandwidth, not IP addresses. Thus, this restriction should be removed and permit hosting multiple NodeIDs on a single IP in the future.