Horizen Source Code Audit

Executive Summary

In February 2020, Horizen engaged Coinspect to audit the security of its blockchain platform. In particular this first engagement focused on reviewing Horizen platform additions to the Zcash protocol implementation including its core consensus rules, network protocols and privacy features. Also, Coinspect verified Horizen has properly fixed every known vulnerability inherited from the Zcash codebase.

During this engagement, Coinspect consultants used a hands-on approach to evaluate the platform security, which included:

  • Source code review of zen (the Horizen client), including its core consensus rules, network protocols, and privacy features.

The objectives of the assessment included, but were not limited to, identifying the following types of security vulnerabilities: full system compromise, denial of service attacks, information disclosure, network protocol weaknesses, input validation, and misaligned incentives in consensus rules.

During the engagement, Coinspect identified the following issues:

Coinspect observed Horizen’s diligence in monitoring upstream projects and keeping its codebase up-to-date with the latest Zcash fixes and frequently bumping dependencies versions. The only exception to this was a recent vulnerability that has just been announced by the Zcash project.

Coinspect found no high risk vulnerability has been introduced by Horizen modifications to the Zcash project source code; 4 medium and 2 low risk findings and suggestions for addressing them are documented in this report.

Coinspect verified the only High Risk vulnerability found during this engagement was properly fixed by release 2.0.21 published on May 20 2020. The remaining findings, but ZEN-001, were fixed by release 2.0.22 published on October 19 2020. ZEN-001 is a low risk finding related to secure communications and configuration defaults. Horizen decided to not fix this finding because doing so would break backward compatibility with other components in their ecosystem. However, mitigation measures were taken: documentation was improved regarding certificate validation and a command line option to disable the unencrypted connection fallback was added.

Source Code Audit

The Horizen project aims to provide a platform that enables intrinsically secure communications, deniable economic activity and resilient networking. It is an evolution of the Zclassic project, a Zcash fork. This engagement focused specifically on the Horizen client.

The following areas of the code were selected by Horizen as the main objectives for the first phase and were reviewed by Coinspect:

  1. Previous Zcash security announcements and findings reported by Coinspect to determine which are applicable to Horizen and if they were properly addressed
  • Replay Protection

All findings have been identified and reproduced with local builds of Zen client version 2.0.19–1. The source code isb based on the master branch following commit:

The following documents were utilized to understand design decisions specific to the Zen client:

The methodology used during this audit consisted mostly in source code review of the changes introduced by the Horizen team to the Zcash codebase, and gray-box testing of the selected Horizen components.

Besides source code review, the tasks performed during this audit included:

  • Crafting invalid and malformed replay protection scripts aimed at bypassing the controls and/or breaking consensus

Overall, Coinspect found the project code to be security conscious. No high impact vulnerabilities were introduced by the Horizen additions to the Zcash project. Besides, Coinspect verified that Horizen follows upstream security issues and ports security fixes when appropriate. Dependencies version upgrades are also being monitored and up to date.

As a result of this engagement the following high-level suggestions are provided based on the findings documented in this report and weaknesses we observed:

  • Improve tests by adding edge cases and malformed inputs that could break assumptions made by the code

Click here for the full report.