Code audits

On behalf of the Tari community, we are happy to announce that Coinspect will be conducting an audit of the Tari base node (Minotari) code and wallet library. Coinspect is a well-known name in the crypto security space and has experience in auditing Mimblewimble-based protocols, having completed the Grin audit in 2019.

The Tari community has been diligently tidying up the codebase, sprucing up documentation and completing its own set of reviews in preparation for the external audit. This work is complete and the base node code was frozen for the audit on 30 June.

Commit 87c0703059511 is the reference commit for the audit.

The audit kicked off this week, the first week of July, and should run for around three months.

The Tari base layer codebase comprises around 250,000 lines of source code. This represents an enormous amount of development work. It is not possible, from a time nor cost perspective to have the entire quarter of a million lines of code be subject to a detailed audit.

Therefore, we have selected the most critical parts of the codebase — those parts where bugs could lead to users losing money — to be subject to detailed scrutiny. This represents around 40% of the total code base.

These critical components include the consensus code, the wallet transactional protocol, and the P2P overlay network. Coinspect will be focusing on these aspects of the codebase. The crypto library, including the bulletproof+ implementation, will be reviewed by third parties with a specialisation in cryptography, including QuarksLabs.

Together, this represents a reasonably thorough coverage of the Tari codebase. Of course, no amount of review and auditing guarantees that a codebase is bug-free. The intent is to demonstrate that the Tari community has taken all practical steps to produce a codebase that is secure and reliable, even in the absence of any guarantees.

Let’s see what the next three months bring. We are quietly hopeful that the audit proceeds well.