NuCypher

Findings · 14

1. 1 Unsalted HKDF in utils.py Low
2. 2 Multiple issues related to curve specification High
3. 3 Multiple issues related to parametrization over arbitrary curves High
4. 4 Insuficient validation of signatures High
5. 5 Network cannot detect malicious nodes High
6. 6 NuCypherKMSToken may be vulnerable to transaction reordering attacks Medium
7. 7 Server implements no rate-limiting functionality High
8. 8 Database has no snapshot and rollback functionality Medium
9. 9 Lack of anonymity allows collusion-based attacks High
10. 10 Database has no access controls Low
11. 11 ProxyRESTServer.set_policy can be used to invalidate policy arrangements Medium
12. 12 Several issues related to policy issuance Medium
13. 13 Work orders have no protection from replay attacks Low
14. 14 Ursula’s responses are unauthenticated Low

Findings extracted from the published report PDF. See the full report below for details and remediation.