Since December, FP Complete has been working with Cardano Foundation on an audit of the Cardano settlement layer. The audit work is ongoing, with the currently released reports available on Cardano's website.
The primary codebase we have been reviewing, cardano-sl, depends on many packages from the Haskell ecosystem. As a result, a significant portion of our audit work involves reviewing these open source libraries, often quite separately from their usage within the Cardano project itself.
We believe that sharing the results of our library audits can be helpful for the Haskell community in general by:
- identifying concrete areas that can be improved
- sharing information on our review process
- encouraging a culture of pushing for higher quality in our commonly used open source libraries
With Cardano Foundation's permission (and encouragement), we're excited to announce that we will begin publishing audit reports on individual libraries in addition to our work on auditing the Cardano project itself.
For the most part, the choice of libraries to be audited will be guided by usage within cardano-sl, as our primary goal remains to perform an audit on that codebase. We will also be withholding security sensitive discoveries until fixes can be made upstream, following the principles of responsible disclosure.
Our first audit report covers the binary library, and is available immediately. Please see Cardano Foundation's announcement blog post for details. We do not have a specific timetable for future report releases, but expect to see such reports announced both on Cardano Foundation's website, and on this blog.
We also look forward to sharing some of our code review techniques and tooling with the community. To find out more about our audit process you can also visit our audit page.