Chinese CERT report puts NEM ahead of many projects in the blockchain space

A report published by Chinese CERT is indicating that NEM is one of the most secure Blockchains, outweighing most other blockchain projects.Copy of logo without bacground

From, published on the 12th of January 2017

[..In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.]

High-Quality Code reveal benefits of NEM

This test covers a variety of commonly seen security vulnerabilities, which are divided into 9 categories by the following criteria: formation cause of security vulnerabilities, the possibility of being exploited, the degree of harm and the difficulty to solve.

9 Vulnerability Categories

1. Input Validation and Representation
Input validation and representation problems are usually caused by special characters, encodings, and numerical representations. Such problems occur as a result of input trust. These problems include: buffer overflow, cross-site scripting, SQL injection, command injection and so on.
2. API Abuse
The API is a convention between the caller and the callee, and most API abuses are caused by the caller not understanding the purpose of the convention. Security problems can also arise when the API is not used properly.
3. Security Features
This category contains vulnerabilities in authentication, access control, confidentiality, password usage, and privilege management.
4. Memory Management
Memory management is a common type of vulnerability associated with memory operations, including memory leaks, post-release use, double-release and so on. This type of vulnerability usually leads to system performance degradation, program crashes and a common type of flaws in C / C + + language.
5. Time and State
Distributed computing is time and state dependent. The interaction between threads and processes and the order in which tasks are executed are often determined by shared state, such as semaphores, variables, file systems and so on. The vulnerabilities associated with distributed computing include race conditions, blocking misuse and so on.
6. Error and Exception Handling Errors
This type of vulnerability is related to error and exception handling, and the most common type of vulnerability is that there is no proper processing mechanism (or errors are not processed), resulting in unexpected termination of the program. Another vulnerability is that the error generated provides a potential attacker with too much information.
7. Code Quality
Poor code quality can lead to unpredictable behavior. For the attacker, the poor code enables them to threaten the system in unexpected ways. Common types of vulnerabilities include dead code, null pointer dereferences and resource leak.
8. Encapsulation and hidden defects
Reasonable encapsulation means that the distinction between verified and unverified data, distinction between data of different users, or distinguish data that is visible or invisible to users. Common vulnerabilities include hidden fields, information leakage, cross-site request forgery and so on.
9. Flaws in Code Runtime Environment
These types of vulnerability is external to the source code, such as runtime configuration issues, sensitive information management issues and so on, which are critical to the product security.


The report found no severe vulnerability in the core of NEM. With 0.28 vulnerabilities per 1000 lines, none of them critical, NEM can clearly be considered a top tier blockchain. In comparison, Ethereumj averages at 1.52 and much worse is Ripple, which is topping out surprisingly at a staggering 7.29 vulnerabilities, including high-level bugs.


25 projects being audited

[..Based on the number of user group, followers and commit frequency, the CERT lab selected 25 blockchains with well-known reputation and extensive community both at home and abroad. These softwares were written with C, C + +, Java, Python, PHP and other programming languages.

Figure 2 shows the statistics of high and medium level security vulnerabilities detected in the 25 projects. The red line indicates the number of vulnerabilities per thousand lines of code (total number of bugs / code lines * 1000)

Figure 2 shows the statistics of high and medium level security vulnerabilities detected in the 25 projects. The red line indicates the number of vulnerabilities per thousand lines of code (total number of bugs / code lines * 1000)



China CERT,  the National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) , was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. The CERT lab speaks highly of the global development around blockchain technology but also reiterates the importance of blockchain software security..]



Original Report (chinese):

You may also like...