Since December, FP

Complete has been working with Cardano Foundation on an audit of

the Cardano settlement layer. The audit work is ongoing, with the

currently released reports available on Cardano's website.

The primary codebase we have been reviewing, cardano-sl, depends on many packages from the

Haskell ecosystem. As a result, a significant portion of our audit

work involves reviewing these open source libraries, often quite

separately from their usage within the Cardano project itself.

We believe that sharing the results of our library audits can be helpful for the Haskell community in general by:

• identifying concrete areas that can be improved

• sharing information on our review process

• encouraging a culture of pushing for higher quality in our commonly used open source libraries

With Cardano Foundation's permission (and encouragement), we're

excited to announce that we will begin publishing audit reports on

individual libraries in addition to our work on auditing the

Cardano project itself.

For the most part, the choice of libraries to be audited will be

guided by usage within cardano-sl, as our primary goal remains to

perform an audit on that codebase. We will also be withholding

security sensitive discoveries until fixes can be made upstream,

following the principles of responsible disclosure.

Our first audit report covers the binary library, and is

available immediately. Please see

Cardano Foundation's announcement

blog post for details. UPDATE External blog post has been deleted.

We do not have a specific timetable for

future report releases, but expect to see such reports announced

both on Cardano Foundation's website, and on this blog.

We also look forward to sharing some of our code review

techniques and tooling with the community. To find out more about

our audit process you can also visit our audit page.