One of the security auditors asked me about the scope of auditing within the Canton Network. Could you guys provide more information about the auditing process? Is auditing performed by domain-specific or party-specific auditors who are hired for that purpose ? Also, if someone wants to get started with independent auditing in a local to mainnet environment, how can they begin? What would be the recommended approach, tools, or learning path?
Looping in @nycnewman who might be able to advice.
Is there a specific auditor you are referring to? We are working with the Canton Foundation to build out a set of security auditors across the Canton Network ecosystem. This includes (apologies if I missed any) some of the well known Web3 auditors: Quantstamp, Halborn, Certik, Cure53, Sherlock, OpenZeppelin, Zellic, Hacken and others.
We are also aware of several AI companies who are building AI solution in this space from smart contract / application auditing, through vulnerability checks, to code generation and AI continuous penetration testing. Many of these have support for Daml auditing.
1 Like
We are also seeing increasing interest from independent security researchers who are looking at the Canton Network.
1 Like
Yes, correct me if I’m wrong, but auditing is primarily done on the business logic. We may also discover some bugs during code generation or while running the DPM TypeScript/Java codegen.
Auditing is done on many aspects of the applications including the business logic and enforcement of conditions, authorization model and permissions, core language concerns, error and unhappy path handling, input validation, and many other aspects. There are many resources available online that talk to the standard concerns for security verification of systems.
Many teams are building out “Top X” lists of security weaknesses.
1 Like
I’m one of those independent security researchers with experience auditing Solidity,Rust based protocols. I’ve been learning DAML and the Canton Network and I’m interested in specializing in application security within this ecosystem.
If you have any recommendations on where I should focus or which open-source projects, reference applications are worth studying, I’d really appreciate your advice.
Also, if there’s a community channel (Discord, Slack, etc.) where security researchers discuss Canton security, I’d love to join.
Thanks for sharing these insights!
You should start with Splice as this defines the base models for Amulet and Canton Coin:
For reference, there is a public audit of this here: Quantstamp
You may also want to look at:
and
There is no Security SIG as yet but we are looking to set one up soon.
1 Like
Thank you for the quick response and for sharing these resources.
I’ll start with Splice.
I appreciate the guidance.