Cardano, the smart contract blockchain development platform this month released an audit report that concentrates on the engineering works done by IOHK. The report was released by the Cardano Foundation.
The audit was done by FP Complete, a 3rd party site that focuses on creating robust and high-quality server software. While giving the report, the foundation said that it will be doing this on a monthly basis to provide transparency on the development works being carried out by IOHK. It will also enable IOHK to optimize on the developments done so far and seek ways to improve their coding standards.
Cardano foundation will be the final auditors of the reports. Once the audit has been done, IOHK is given a window period to review it and respond to the issues raised by the auditors.
Some of the key details that emerged from the report :
- IOHK, the developers, had overused some scripts that are not shellcheck-clean. These may cause vulnerabilities in worst case scenarios. IOHK responded to this issue by saying that they will reduce the number of shell scripts they use.
- FP Complete also found that the lines of code used for testing were insufficiently low. Failing to test the codes may compromise on the quality of the system in the long run. IOHK responded by saying that quality is a priority to them and they will increase in their test coverage.
- It was also noted that the platform used the error function in numerous cases without specifically checking what the explicit cause of the error was. This may lead to a breakdown of the system in the future. IOHK responded by saying that they are not only reviewing this but that their policy allows for the error function in some instances.
- The auditors also found that most bugs lack regression testing. Regression testing is a method for testing on identified bugs on lines of code so as to ensure they do not recur again. IOHK responded by saying they will implement best practices and improve on regression testing.
- When cloning on Github, the develop branch (nonstable version) has been set as the default branch instead of the master branch which is the stable version. IOHK responded by saying that they did this as it is the most suitable branch for external contributors. However, they went on to say that they are waiting for customer feedback and changes will be made with time.
- The auditors raised concern on failures by the developers to highlight the areas and parts of the code that they have already tested. They said it was essential to have a report on which parts of the code have already been tested.
- Finally, the auditors pointed out the fact that there are multiple areas where some redundant code was used. IOHK responded by saying that this will be investigated and appropriate action will be taken to correct it.