Mezinároní společnost Kudelski Security která se zabývá nezávislými bezpečnostními audity povedla revizi očekávaného protokolu Bulletproof. Audit je financován z těchto zdrojů Monero Research Lab, The Monero Community, Private Internet Access, and OSTIF. Byly zjištěny čtyři nedostatky:
BP-F-001: Unsafe use of environment variables
Patch: This function no longer uses environment variables to set this value, as patched in commit 68f7606
BP-F-002: Lack of input validation in prover
Patch: Input scalars are now checked to ensure they are within the proper range in the prove and verify routines, as patched in 68f7606
BP-F-003: Integer overflow in bulletproof L size computation
Patch: Correct boundary checks have been added to avoid the overflow, as patched in commit 68f7606
BP-O-008: Undefined behavior shifting signed value
Patch: The function has been rewritten using a ternary operator in commit 68f7606
Objednán byl i druhý nezávislý audit od společnosti QuarksLab. Ten by měl být k dispozici cca do týdne.