The report summary:
Quarkslab has studied the security of the Monero Research Lab’s new Proof-of-Work algorithm called RandomX. The evaluation was spread over about three weeks for a total of 32 days with three engineers. It took over from three other security audits, all four made possible thanks to the Open Source Technology Improvement Fund.
Therefore, to maximize the value of a fourth review, Quarkslab focused part of its efforts on:
• the analysis of a few areas less covered by the previous reports,
• the analysis of the previous reports, the responses of Monero Research Lab, and the subsequent changes in the code and in the specifications.
Despite a highly complex and radically new subject, the documentation and code of RandomX were of very high quality. All the attack paths we could think of had already been taken into account or at least studied in the previous audits. Then we reviewed the previous reports, the Monero Research Lab replies and their subsequent code changes. We agree with them.
Moreover, we didn’t find any significant optimization of the proof-of-work algorithm, even with approximations.
(To be clear – we staggered the 4 reviews instead of running them concurrently, to make sure the last team would benefit from and build on all the work done for the preceding reviews.)