CertiK has recently completed a Security Audit of the MYKEY Project, a self-sovereign identity system implemented on multiple public blockchains based on the underlying protocol, called KEY ID. Because KEY is an ERC20 token on the Ethereum network and each MYKEY account exists in the form of smart contract, the team heavily prioritized the security of their smart contracts. MYKEY selected CertiK as its trusted security service provider.
The Audit Process
MYKEY is an innovative, wallet-like smart contract currently on EOS. It aims to solve the pain points for EOS end users who require secure private keys storage and identifications within individual DApps.
The CertiK team assigned four engineers to work on the assessment MYKEY over the course of three weeks. The MYKEY team provided well-written documentation, as well as weekly sync-ups to support the auditing efforts. With this successful security audit, MYKEY will launch the beta and mainnet versions of their smart contract shortly.
Overall, the MYKEY logic design was clear and straightforward, although the implementation had complexities in order to correctly achieve its goals. CertiK team appreciated the professionalism of the MYKEY team and looks forward to the development of the project in other blockchain protocols, including Ethereum.
While auditing, the MYKEY source code was analyzed from multiple aspects by using different approaches, including CertiK’s Formal Verification and manual reviews by CertiK’s experts in smart contract security.
To summarize, CertiK did not find any critical or medium security issues, and all common loopholes and concerns regarding the design and implementation were discussed and tackled in a timely fashion. The final delivery of the audit contains low impact security suggestions, coding practice guidelines, and design recommendations for the MYKEY team. To highlight the MYKEY design of decoupling and concern-splitting, which allows the contract owner to achieve decentralization with minimal effort needed for future upgrades, the following observation is from the audit report:
The main design goal of the manager/logic dual-contract architecture is to detach action logic from action access / persistent data storage so that the latter does not need upgrades and can remain stable while the client applications have zero dependencies on the former, which thus can be easily upgraded by itself. Having all persistent data anchored in a stable, non-upgradable contract has great implications for data safety and security.
MYKEY is a self-sovereign identity system implemented on multiple public blockchains. It is also the first implementation based on the Key ID self-sovereign identity protocol. MYKEY Lab is a company that received funding from Bihu Key Foundation and runs the MYKEY App, which will be available in open source for both iOS and Android.
There are three main aspects of MYKEY’s future development: Asset Management, Social Relationship, and Data Protection.
In the case of Asset Management, MYKEY is a multi-chain wallet that gives users full control over their assets with the flexibility of freezing and restoring accounts when private keys get lost. MYKEY is also a building block of Web of Trust, elevating their Social Relationship initiative. Furthermore, in the context of Web 3.0, MYKEY turns data ownership back to users, protecting user privacy from the ground up.
CertiK is a blockchain and smart contract verification platform founded by top Formal Verification experts from Yale and Columbia University. Incubated by Binance Labs, Certik has strategic partnerships with the world’s leading crypto exchanges such as Binance, OKEx, and Huobi, as well as protocols such as NEO, ICON, and QuarkChain.
CertiK’s formal verification method works differently than traditional testing approaches: rather than working manually, CertiK mathematically proves blockchain ecosystem and smart contracts are hacker-resistant and bug-free at scale. CertiK has secured over $4B in asset value, auditing several projects across all major protocols, including BNB, Terra, Crypto.com, and TUSD.
To request the audit/verification of your smart contracts, please email firstname.lastname@example.org or visit certik.org to submit the request.