Nym Wallet Security Audit
Security Audit of the Nym Wallet
Introduction
In December 2022, Nym underwent an independent security audit conducted by Oak Security, a Germany-based cybersecurity consulting firm specializing in auditing third-generation blockchains and decentralized protocols. With extensive experience in ecosystems such as Cosmos, Terra, Polkadot, and Flow, Oak Security was tasked with evaluating two critical components of the Nym ecosystem: (1) the Nym mixnet and vesting contracts (see full report) and (2) the Nym Wallet (see full report). The audit aimed to assess the security and robustness of these components, identify potential vulnerabilities, and ensure adherence to best practices in secure code development. To make things easier to follow, we’ve broken down the findings for each component. You can check out the audit summary of the Nym mixnet and vesting contracts here.
Summary of Nym Wallet Audit by Oak Security
The audit, which spanned two weeks, involved a team of four experts from Oak Security. The Nym team provided full access to the entire codebase, project specifications, and relevant documentation. The scope of the audit covered the "nym-wallet" repository.
The auditors performed a comprehensive assessment of the nym-wallet repository, evaluating its security vulnerabilities, integration mechanisms, cryptographic robustness, and overall adherence to secure development practices.
Oak Security employed a hybrid approach, combining automated analysis with manual code inspection to uncover security weaknesses.
Overview of findings
The Nym Wallet was found to have a well-structured codebase with medium-to-high readability. The auditors recommended improving test coverage and documentation to enhance reliability and maintainability.
A total of 17 findings were reported for the Nym Wallet. None were classified as critical; four were rated as major, while the remaining 13 were categorized as minor or informative, presenting opportunities to further refine the wallet's implementation.
The Nym team promptly addressed all major findings, and Oak Security reviewed and approved the fixes.
NYM-WALLET-1: Password still in memory after logout (Major)
The auditors identified that, unlike the mnemonic, the password used to retrieve it remains visible in memory even after the user has logged out.
To address the issue, Nym implemented a solution that recycles the window upon logout and account creation. This action effectively destroys the WebView, which holds the JavaScript runtime and clears any sensitive data, including the mnemonic and password from memory.
NYM-WALLET-2: Mnemonic kept in memory after account creation within the wallet (Major)
The auditors identified that while the mnemonic is properly overwritten in memory when the user logs out, this is not the case after account creation. Specifically, when a new account is created in the wallet, the mnemonic is not cleared from memory even after the user logs out, potentially exposing sensitive information.
The solution implemented in NYM-WALLET-1 also rectifies this issue.
NYM-WALLET-3: Limited range of password special characters (Major)
The auditors identified that the PasswordStrength component in the wallet uses a regex pattern to enforce password strength, but the pattern is overly restrictive and recommended using a more flexible set of symbols to allow for a broader range of passwords. We addressed this issue by updating the regex pattern, following the auditors' recommendation, to allow a broader range of characters and enhance password security.
We resolved this issue by integrating the Dropbox "zxcvbn" package for more accurate and robust password strength validation.
NYM-WALLET-4: The user is forced to copy the mnemonic phrase to the clipboard (Major)
During account creation, users were presented with the mnemonic phrase and required to click the "Copy Mnemonic" button which copied the phrase to the clipboard. The auditors identified this practice as a security risk, as other applications could potentially access the mnemonic.
To address this, we implemented the auditors' recommended fix by removing the "Copy Mnemonic" button. Instead, we added guidance on securely storing and using the mnemonic phrase and a checkbox for users to confirm that they have read and understood the provided information.
Last Words
We would like to thank the Oak Security team for their expertise and dedication throughout this audit process. We also appreciate the collaboration and professionalism demonstrated during both the planning and execution stages of the audit. Our ongoing commitment to security remains a top priority, and we look forward to continued partnerships with security experts to uphold the highest standards for our ecosystem.
