Monday, April 10, 2017

[Update] Do 2 non-CPA audits equal 1 CPA audit? Zcash gets non-audit firms to issue audit reports.

Last year, Zcash went live.

What is Zcash?

Zcash is a public blockchain similar to bitcoin. Zooko Wilcox, the founder of Zcash, explains what it is in the following video:



As he notes in the video, what distinguishes Zcash from bitcoin is that it offers greater privacy of the users as they don't have to disclose their private key (which is a pre-requisite for bitcoin). However, because Zcash uses zero knowledge proofs (see the amazingly easy to follow explanation below), there is no need for the private key to be revealed - thereby offering extra anonymity to the user.


However, what I thought was exceptional noteworthy about the Zcash is how it went about proving to the world that its code is sound. When Zcash went live, Coindesk reported the following:

"Notably, the development team released two audits conducted by NCC Group and Coinspect, respectively, ahead of the launch.

The reports sought to identify potentially harmful bugs in the cryptocurrency's code prior to launch. (The audits can be found here and here)."
The article referenced, a blogpost, which described the scope of the security audits as follows:

"Today we are publishing the final reports of each external security auditor we contracted this summer to review our code. We've triaged the issues found and addressed any we considered severe (e.g. could compromise user privacy, lose funds, break consensus, etc...).

NCC Group's conclusion was (also available here):

“NCC Group performed a two-part targeted review of the Zcash cryptocurrency implementation. The first part, performed by the Group's Cryptography Services practice, focused on validating that Zcash's implementation adhered to the Zcash Protocol Specification. An assessment looking for security errors within the cryptographic implementation was also performed. The second part was a C++ source code review for vulnerabilities using static and dynamic analysis and fuzz testing. The review also included a cursory assessment of dependent libraries and recommendations for improving software assurance practices at Zcash.

NCC Group identified an issue that would allow an adversary to tamper with the verification and proving keys used by the Zcash daemon as well as a number of C++ coding errors that could result in stack-based buffer overflows, data races, memory use-after-free issues, memory leaks, and other potentially exploitable runtime error conditions. Additionally, most, if not all, third-party open source library dependencies were identified as being out-of-date. In the end, NCC Group did not find any critical severity issues that would undermine the integrity of the Zcash blockchain or undermine the security of confidential transactions during the time that the review was conducted (from August 8 – September 2, 2016).”

As for Coinspet, they noted (also available here): 

"Coinspect reviewed Zcash's innovations over the Bitcoin Core source code, focused on evaluating its resistance against specific threats to cryptocurrencies. Coinspect identified high-risk and moderate-risk issues during the assessment that affected the performance and availability of the Zcash p2p network. The security issues identified did not allow remote code execution nor allowed an attacker to steal funds or compromise the privacy of Zcash users. However we found exploitable 51% and isolation attacks with minimum resources.

It is an honor for Coinspect to contribute with our cryptocurrency security experience to the exceptional team behind this exciting project."

What I thought was interesting, was a couple of things.

Firstly, these are purely tech experts, not CPAs. They are producing "audit reports" that users will rely on for privacy, ability for the protocol to generate consensus, and loss of funds. 

Of course, these are all things that a CPA firm couldn't opine on such things because the liability would be too much for the firm to bear.

But I think that's the point: if things are so complex/risky that a CPA firm can't produce the audit report, it leaves the field wild open for competitors like Coinspect and NCC Group (who were likely paid $250,000).

And is the twist, that they retained 2 or 3 firms to do this. I think that's the real interesting part. 

Audits completed by CPA are governed by strict standards of independence to ensure that the auditors are independent.  However, what Zcash is in effect saying that such issues can be overcome by getting two "unlicensed" auditors to opine on the same thing. Implicitly, why would the two independent parties collude on a lie? 

Initially Zcash as a cryptocurrency was not doing so well price-wise. When this post was originally written (on Dec 23rd) there were 188,905 transactions executed on this by blockchain. Today, roughly 3 months later on April 10th, the transaction count has more than doubled to 463,560. Furthermore, it is now the 9th most popular by market capitalization.

Te world of cryptocurrency is not as conservative world of financial statements. However, the approach that Zcash to gain trust essentially. Although we can have philosophical debates on whether this meets GAAS or not, the reality is someone has found a way to eat our lunch. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. 

No comments: