Security audits of the Nym network and apps 2023–2024

In the leadup to the commercial launch of NymVPN to the world, the Nym network and apps have undergone two thorough and independent security audits in the last two years. The goal has been to make sure Nym’s technology, cryptography, and network are in top shape for when NymVPN lands in customers’ hands.

The results have led to significant security improvements and performance enhancements behind the scenes. Like Nym’s open source code, these audits are made public as well as the Nym team’s responses explaining the measures taken to address relevant issues.

What is a security audit?

A security audit occurs when a company seeks to test the security parameters and vulnerabilities of a technology, system, or network. As in Nym’s case, these can be proactive measures to ensure a beta product is rigorously tested before launch.

Security audits can be done internally by security personnel or a dev team, but they are ideally accomplished by an independent auditing firm that does not have an interested stake in the company or technology. This ensures impartiality and scientifically rigorous testing.

Moreover, security audits can be conducted on differing scales depending on whether a company’s code is fully or partially proprietary (i.e., not publicly accessible) or open source.

In both cases, the security audits conducted on the Nym network and apps from 2023–2024 were done by independent security firms with full access to Nym’s open source software. All reports and responses are likewise available to the public and community to consult.

Cure53 audit (July 2024)

The latest and most extensive audit was conducted in July 2024 by the Berlin-based firm Cure53. Cure53 is well-known in the Web3 space and has done audits for other VPN companies such as ExpressVPN, Mullvad, TunnelBear, and NordVPN.

Scope of the audit

Cure53 employed a crystal-box strategy with full access to source code, builds, documentation, test environments, and supporting scientific papers. Their extensive audit covered Nym’s infrastructure, including mobile and desktop applications, VPN infrastructure, cryptography, and system architecture. This was done via penetration testing, source code audits, and code reviews.

Results of the audit

Many core aspects of the Nym system were found to be in good and secure shape, particularly its mobile and desktop apps and Rust builds.

“Cure53 [...] confirmed that neither the Android nor iOS apps contained hardcoded sensitive information or secrets, which is a key security consideration.”

The Cure53 audit was able to flag a number of important potential security risks across the Nym system, particularly regarding potential risks in its cryptographic implementation, for example, regarding a potential plaintext leak in the encrypted handshake between the client and gateways. Critical risks like these were quickly addressed by the Nym team.

A number of other potential risks were identified by Cure53 as “high” or “critical,” though as the Nym response clarifies, these pertained to aspects of the Nym infrastructure which were, for example, no longer in operation, or to possible attacks that would be unsuccessful given the current design, for example, of Nym’s e-cash implementation.

You can read Nym’s response to the Cure53 audit with explanations for all changes made or not by Nym’s Heads of Research and Technology. A link to the Cure53’s original report can also be found there.

Oak audit (2023)

Nym researchers have now also published a response to two 2023 security audits conducted by Oak Security, a Germany-based security firm specializing in smart contracts. Oak has extensive experience in ecosystems such as Cosmos, Terra, Polkadot, and Flow.

Scope of the audits

The first audit focused on the Nym mixnet and vesting contracts while the second focused specifically on the Nym Wallet app.

With full access to Nym’s open source codebase, the Oak audit covered the contracts/mixnet, contracts/vesting repositories, relevant imports by these contracts for the Nym mixnet and vesting contracts, and the Nym Wallet app.

Results of the audits

Oak mixnet and vesting contract audit

Regarding the mixnet and vesting contract audit, Ania Piotrowska, Nym’s Head of Research, summarizes the findings and actions taken:

“The Nym mixnet and vesting contracts were characterized by high readability and clarity, with robust test coverage supporting their reliability. In their assessment, the auditors identified 19 findings, including 9 security vulnerabilities – comprising critical and major-severity issues – and 10 general weaknesses categorized as minor or informative. The Nym team has swiftly addressed all critical and major issues. The Oak Security team verified and approved our fixes.”

Oak Nym Wallet audit

Regarding, the audit of Nym Wallet, Ania summarizes the results:

“The Nym Wallet was found to have a well-structured codebase with medium-to-high readability. The auditors recommended improving test coverage and documentation to enhance reliability and maintainability. A total of 17 findings were reported for the Nym Wallet. None were classified as critical; four were rated as major, while the remaining 13 were categorized as minor or informative, presenting opportunities to further refine the wallet's implementation. The Nym team promptly addressed all major findings, and Oak Security reviewed and approved the fixes.”

Conclusion

Network and app security is the highest concern for Nym. Without it, people turning to Nym will not get what they need and are promised: the most advanced privacy protections and security currently available. The Nym team is thus moving into 2025 with significant security improvements under its belt thanks to the consulting work by Cure53 and Oak Security.

Nym will continue the regular process of independent audits of its open source codebase, developing applications and network, as well as a bug bounty program to ensure the highest security standards for people using NymVPN and the network.