Looking for source code audit service

[AB de Royse777]

One of my client is looking for a third party trusted audit service to audit their product source code. I found some online service like keylabs and some others but I don't have much knowledge to choose one. If you have knowledge and resources about it then please suggest me some.

Cheers,

If you have personal contact with any team and they have good reputation please suggest I will note it for the client.

[Joel_Jantsen]

Hello, could you elaborate on what domain the product source code to be audited is? Furthermore, what would be key points to evaluate the source code on?
 - Vulnerabilities?
 - Security Concerns?
 - Transparency?
 - Privacy?

I'd be able to help if the domain is my area of expertise.

[NotATether]

Is this source code for a normal program or for a cryptocurrency project?

Because crypto projects have specialized auditing requirements, much different from normal programs. Not only do you have to check for security vulnerabilities in the software, you also have to make sure there are no monetary bugs in the software that could break the project (if it's some kind of financial asset), and ensure that there is not even the slightest possibility that some component of the application can be abused for this purpose or for theft.

[DaveF]

What language and what environment?

Someone who knows PHP for a website is going to be different then an audit group that works with C++ to create compiled code that runs on a desktop and that same group would be useless if you want to have a phone app verified.

There are some larger organizations that 'do it all' but most of the better ones are more specialized.

-Dave

[AB de Royse777]

Thanks Joel_Jantsen, NotATether, ETFbitcoin, DaveF.


Please read this update to find your answers of any questions:

It's a Bitcoin mixer. They have coinjoin and advanced feature of mixing bitcoin. The audit job is to try to track back the mixed funds.

You all must be familiar of coinjoin so nothing new to explain.
Their advanced feature is to mix your bitcoin with XMR and then from XMR to bitcoin. You don't need to do it by yourself, when you chose the advanced option then the system does it for you. At least this is what I understood.

I guess now you have better idea.

Please response again and I will share the thread with my client so that they can receive your input to accept your suggestion or even give the job to check things.

Cheers,

[DaveF]

So not code auditing as much as funds traceability.

Still can't give an answer without more details. Since, there are 2 parts to the question.

1) Can someone de-compile the code / app and figure out how it works and trace things that way

and

2) Can you just follow the funds.

If it's just a website, #1 does not come into play. If there is an app then it does.
1a) would be if it's just a website has anyone audited the back end code for issues that could be exploited to trace the funds
1b) would be if it's just a website is there any back end code that pulls from other places that need to be checked
See: https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

and
2a) Would be who is controlling the funds. i.e. if you send to this app and it sends to exchange A and then triggers a conversion and then sends those coins to exchange B and then triggers a conversion back and sends the coins, since the funds would be out of their control for a period of time it all becomes irreverent since we would never know what the exchanges are doing.

-Dave

[ABCbits]

It's a Bitcoin mixer. They have coinjoin and advanced feature of mixing bitcoin. The audit job is to try to track back the mixed funds.

You all must be familiar of coinjoin so nothing new to explain.
Their advanced feature is to mix your bitcoin with XMR and then from XMR to bitcoin. You don't need to do it by yourself, when you chose the advanced option then the system does it for you. At least this is what I understood.

While code auditor play role on that job, i think what your client actually need is expert on digital forensic/forensic analysis which have experience on cryptocurrency field. And since many mixer/coinjoin technique rely on amount of user to improve it's privacy, audit result could be less useful when your client have lots of costumer.

[AB de Royse777]

Bump.

Our goal is to find a suggested service or anyone who can do the job for my client. Please let me know your offers.

@DaveF, it's fund traceability.

While code auditor play role on that job, i think what your client actually need is expert on digital forensic/forensic analysis which have experience on cryptocurrency field. And since many mixer/coinjoin technique rely on amount of user to improve it's privacy, audit result could be less useful when your client have lots of costumer.

Noted bud. Thanks.
 

[CryptoHFs]

Look no further https://www.certik.com/ code audit
https://www.chainalysis.com/ transaction tracking

[LoyceV]

See if you can contact the author of Breaking Mixing Services, he may know a thing or two about this.

It's a Bitcoin mixer. They have coinjoin and advanced feature of mixing bitcoin. The audit job is to try to track back the mixed funds.
~
Their advanced feature is to mix your bitcoin with XMR and then from XMR to bitcoin.

Who's holding the XMR in this case? If it's the mixer, it's still a black box to the user: Bitcoin in > Bitcoin out. In that case I see no point in using XMR. If it's the user, there are 2 separate actions: Bitcoin in > Monero out and Monero in > Bitcoin out. In that case the connection between Bitcoins in and Bitcoins out should be pretty hard to find. Theymos wrote this:

In order to get decent privacy, you have to do something like this:
 1. Convert BTC to XMR (using your own Monero wallet, not a hosted wallet).
 2. In two or more transactions of random amounts, move XMR from that wallet to a different wallet/account.
 3. Optionally, you can repeat the above step with additional wallets/accounts for greater anonymity.
 4. Preferably in two or more transactions of random amounts, convert the XMR in your last wallet in the chain to BTC.
 
Ideally, all of the above should be performed over as long a period of time as you can tolerate.

[CryptoHFs]

See if you can contact the author of Breaking Mixing Services, he may know a thing or two about this.

It's a Bitcoin mixer. They have coinjoin and advanced feature of mixing bitcoin. The audit job is to try to track back the mixed funds.
~
Their advanced feature is to mix your bitcoin with XMR and then from XMR to bitcoin.

Who's holding the XMR in this case? If it's the mixer, it's still a black box to the user: Bitcoin in > Bitcoin out. In that case I see no point in using XMR. If it's the user, there are 2 separate actions: Bitcoin in > Monero out and Monero in > Bitcoin out. In that case the connection between Bitcoins in and Bitcoins out should be pretty hard to find. Theymos wrote this:

In order to get decent privacy, you have to do something like this:
 1. Convert BTC to XMR (using your own Monero wallet, not a hosted wallet).
 2. In two or more transactions of random amounts, move XMR from that wallet to a different wallet/account.
 3. Optionally, you can repeat the above step with additional wallets/accounts for greater anonymity.
 4. Preferably in two or more transactions of random amounts, convert the XMR in your last wallet in the chain to BTC.
 
Ideally, all of the above should be performed over as long a period of time as you can tolerate.

If govs need to track a specific person transactions one way or another they would be able to do it.. mixers are only good for normal people that has no issues or big attention. If you are tracked one way or another you will get caught.