First, I would like to premise this with the fact that I am not a software developer or engineer. The team at Nucle is far better at this than I will ever be, and if they wanted to pull a fast one on me or obfuscate parts of their Chia wallet they easily could. This should also not be viewed as any sort of security review of the Nucle platform itself – I was not looking at the system end-to-end but at the back end code that will make up the web service that interfaces between the client devices and the Chia network. Some of the things I note in this article can be mitigated through upstream or downstream infrastructure and configuration. So here it is, my initial thoughts on the Nucle back-end source code.
The first thing I looked for was evidence that the Nucle application was accepting private keys and signing spendbundles on behalf of the user. This is why we’re all here right, to check out local signing on the device? Well, because I am looking at it backwards (ie, not the client application but the server one) I cannot show you the function that is signing the transactions, because it is not here. I have looked through all the code and cannot find anything that accepts a private key and uses that to sign a transaction.
What I can find is that when the back end sends a transaction to the full node that transaction needs to be fed an existing hash and spendbundle from the client. So unless they are using some sort of middleware application they aren’t discussing, it appears to me that the private keys signing transactions are doing so on-device. That doesn’t mean they are doing it well, or that their crypto is properly implemented. But it does mean that if you are using a Nucle application that your private keys do not get sent to the server application – or if they do, it doesn’t really know what to do with them. Assuming no fancy obfuscation.
A Chia Plot community member has graciously offered to do a real deep dive of the code with me, and I plan to take full advantage of that. I suspect he will be able to find more things wrong than I am able to. But on that note, there are a few areas I would recommend the Nucle team take a look at.
First, is architecture. Their example architecture here involves running a webapp/database on the same instance, with redis and the httpd deploying together. They are properly proxying it with Nginx, but their Nginx config isn’t perfect and more suitable for a small blog than a financial services wallet. No TLS 1.3? Come on. This should also be segmented, with the reverse proxy running on a hardened box external to the web app itself. Nginx is easy to do that with, and they might be doing that part properly, so lets hope.
Also, their app seems to use keys stored on disk, and seemingly in every instance, as well as passwords stored in config file. They also seemingly turn off Cross Site Request Forgery protection, which makes sense for a multilayer app but only if they have something else on the front end handling that. That is not documented for any other users that might fork the web application and allow for insecure requests. I am not sure how much of this comes from the node.js framework they are using, or how much is a Nucle architectural decision but these are the areas I would focus on after a quick glance. Some low hanging fruit, and it might even be solved depending on how they compose their docker image. But its not documented if so, at least not here.
And last, they have a hard coded API endpoint to the Coinbase pricing API to get the XCH price in USD that they display in their wallet. This probably doesn’t pose an actual security issue because they aren’t selling anything or executing trades based on that endpoint. But it is bad practice to put external URLs that you do not control directly into your source code.
All in all I think Nucle has done really good job here. The code is clean and readable and no major red flags popped out at me. A few minor issues that are more areas for improvement than actual problems. I am looking forward to digging into the code in depth with expert assistance once it is released for real.