Trail of Bits
Audit Open Original ↗

NEAR One MPC Chain Signatures

Type

Security review

Client

NEAR One

Date

2025-03

Domain

Crypto

Effort

6 wks

Section

Cryptography Reviews

Trail of Bits's security review of NEAR One (Mar 2025) identified 15 issues: 7 medium, 2 low, and 6 informational.

Findings · 15

  1. 1 Unique IDs from other participants are not validated Medium
  2. 2 The node uses command-line arguments to pass secrets to the application Medium
  3. 3 Outdated dependencies with security advisories Informational
  4. 4 Risk of ciphertext swapping attack on database storage Informational
  5. 5 Hash function used as key derivation function Informational
  6. 6 P2P protocol implementation is vulnerable to identity misbinding Medium
  7. 7 Skipping certificate verification introduces nontrivial modifications to TLS Informational
  8. 8 Unchecked buffer lengths may enable resource exhaustion Medium
  9. 9 TLS listener thread does not time out Medium
  10. 10 Database encryption is vulnerable to nonce reuse Medium
  11. 11 Insufficient test coverage Medium
  12. 12 Potential credential persistence in artifacts Informational
  13. 13 Unpinned external GitHub CI/CD action versions Low
  14. 14 Docker release action is vulnerable to cache poisoning Low
  15. 15 The P2P networking implementation does not enforce TLS 1.3 Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related