Public Report – IOV Labs powHSM Security Assessment

In June 2022, IOV Labs engaged NCC Group to perform a review of powHSM. Per the project documentation: “Its main role is to safekeep and prevent the unauthorized usage of each of the powPeg’s members’ private keys. powHSM is implemented as a pair of applications for the Ledger Nano S, namely a UI and a Signer, and it strongly depends on the device’s security features to implement the aforementioned safekeeping.”

In total, two consultants contributed 20 person days of effort over approximately five weeks. The assessment primarily focused on source code review, supplemented by 2 Ledger Nano S devices provided by IOV to facilitate testing.

In September 2022, the same consultants reviewed an updated version of the library
addressing the findings in this report. In general, all findings and major comments were
addressed by IOV and all documented findings are considered fixed.

The Public Report for this review may be downloaded below: