Go SDKs and Python DAZL Contributions for Canton #39 Milestone 3: Security Audit + Remediation

OPENIssue
by pedrodneves30-04-2026
560K CC requested
View on GitHub ↗← All Proposals

Milestone 3: Security Audit + Remediation

  • Payment: 560,000 CC (breakdown: ~160,000 CC vendor audit fee + ~400,000 CC Noders remediation)
  • Deadline: 4 months after grant approval
  • Focus: Establish a formal, externally validated security baseline for the Go SDKs.
  • Cost basis: Vendor quote received (Cure53) — $24,000. The remaining ~400,000 CC covers Noders engineering time for scope definition, audit coordination, and full remediation.
  • Audit scope: Production-relevant code in go-daml and go-wallet-daml, including authentication, credential handling, gRPC transport, codec/serialization logic, cryptographic primitives, wallet operations, and any code generation or supporting components that may affect production behavior. A detailed scope document will be agreed with the auditor and published before the audit starts.
  • Deliverables / Value Metrics:

- Engage an independent security auditor to review the in-scope Go SDK code. - Agree on audit scope with auditor and security subcommittee; publish scope document. - Receive and review audit report. - Remediate all critical and high findings; document accepted/deferred medium and low findings with rationale. - Publish post-audit remediation summary in the repos. - Release patched versions of go-daml and go-wallet-daml with changelog entries referencing the audit.

_Originally posted by @pedrodneves in https://github.com/canton-foundation/canton-dev-fund/issues/38#issuecomment-4350328883_