Public Reports
Public security assessment reports
InterBTC - Vault Client
Technical audit report
Audit report of the Interlay’s vault-client security assessment, an off-chain component bridging InterBTC/Kintsugi and Bitcoin. The audit assessed the correctness of the implementation, secure key management, and resilience against attacks affecting availability or enabling asset theft. Although prior audits and bug bounty reports had addressed issues, this assessment identified four new potential weaknesses—one of which is rated high risk due to a possible double payment upon vault restart. However, the conditions required to exploit this flaw are extremely unlikely, involving rare synchronization failures with the Bitcoin chain.
XCM: Cross-Consensus Messaging Audit
Technical audit report
This report presents the results of a security audit conducted by Quarkslab on the Cross-Consensus Messaging (XCM) mechanism developed by Parity for the Kusama and Polkadot blockchains. XCM enables communication between relay chains and parachains, and the audit focused on its core components: the XCM pallet and executor, particularly in the context of the Kusama and parachain-template configurations using XCMv2. The evaluation aimed to ensure the system prevents inconsistencies between chain states, misconfigurations, and unauthorized asset transfers. This second audit (the first being by another firm) found no major vulnerabilities. The report details XCM’s inner workings and highlights design elements that contribute to its robustness.
Litecoin — Mimble Wimble audit
Technical audit report
Report containing the security evaluation results of a MimbleWimble (MW) implementation in Litecoin. MW enables confidential transactions by hiding amounts and enhancing privacy through coin fungibility and transaction aggregation. The algorithm uses a bulletproof-like zero-knowledge algorithm. Since Litecoin’s UTXO-based main chain cannot natively support MW, it is implemented as a sidechain. The audit focused on verifying the correctness of its integration into the Litecoin codebase, especially regarding new consensus rules and preventing regressions. A major vulnerability affecting chain consistency was discovered.
État de l’art : Techniques de fuzzing, exécution symbolique, slicing et combinaisons (FR)
This report presents the results of a state-of-the-art commissioned by the Direction Générale de l’Armement (DGA) to Quarkslab, focusing on the state of the art in fuzzing, symbolic execution, and slicing techniques. The study aims to provide a comprehensive overview of these techniques and their potential applications in the context of vulnerability detection in embedded software. The report includes a detailed analysis of existing tools and methodologies, highlighting their strengths and weaknesses. It also discusses the challenges of combining the approaches together. This report reflects the state of the art as of 2020 but is a comprehensive corpora for any beginer in the field.