Dear Cloak Community,
The Audit done by Cognosec a NASDAQ-listed cybersecurity company has been beneficial to Cloak goals and we certainly appreciate their work.
The Security Audit shows also good public recognition of our work because this opens new doors and shows that we are a trustworthy project.
Stepping through the issues found in the Audit, 40% have already been corrected and implemented in preparation for our live release coming in the near future.
Here are the solutions from Cloak Development Team:
Compromise of Anonymity is the largest issue where the sender could be determined, has been resolved.
By analyzing the transactions on the blockchain provided for by Cloak, Cognosec found it was possible to determine the amount sent by summing transactions searching for equal amounts through a method called possibility analysis. Once the amount sent was solved for, it could be determined what the sender addresses were. Based off Cognosec suggestions, we have implemented the following solution. Instead of an equally split Enigma fee, Cloaker participants receive incentives from Enigma fees which are randomly split, 80%-120%, of an equally split Enigma fee. Additionally, the transaction amount is repackaged and is then resplit 2-4 times in a way to prevent any equivalent transaction summations. This prevents using possibility analysis to determine the amount sent. Without the ability to determine the amount sent, it is not possible to determine who sent the coins. Additionally, included in this solution is resolved Problem #9 – Flawed Splitting Randomizer.
Insufficient Wallet Encryption is currently under development.
Cognosec also found that even should the wallet be stolen, the coins could not be used.
The current risk is that the transaction history would be known.
Random generator used without Seed is resolved.
#4, #5, #6, #7 & #8
are all based on the use of the “outdated” bitcoin release and the system libraries used for the project.
Detected DLL preloading vulnerabilities are actually OS dependent and will be mitigated by placing the needed DLLs in the protected system directories (e.g. system32 folder on Windows) when the production/release installer is created as a part of our new wallet package. Eventually, Cloak will be incorporated into source of the latest LiteCoin project, also resolving many similar issues such as this that may arise.
Flawed Splitting Randomizer is resolved as discussed in the initial paragraph and shown in Figure 1.
Weak Backup Methods is under consideration for future releases.
Incorrect Number of Cloakers used is, as Cognosec determined, informational. Cognosec failed to recognize the sender as a participant of the Enigma transaction.
When looking through their analysis, which provides code, it can be seen that the number of participants in the software is reduced by 1, specifically.
The highlighted line in Figure 9.13, of the audit, uses the Function CreateForBroadcast with the first parameter, numParticipants – 1.
This is also described in Figure 1 where 4 Cloakers are used.
On live net, the current number of Cloakers is set to minimum of 5 and can be set by the user.
This enhances the difficulty of analyzing the transactions even further.
Feel free to read the complete Audit Report!
Peace and Love
Team Cloak Coin