feat: update 10,000,000 (#210)

Audit results (Update Nr.128)

_updates/2023-07-05-update-112.md

@@ -5,6 +5,7 @@ date: 2023-07-05
 author: Cayle Sharrock
 thumbnail: update-background.jpg
 title: Audit announcement
+permalink: /updates/audit-announcement/
 class: subpage
 ---
 
@@ -39,4 +40,4 @@ Together, this represents a reasonably thorough coverage of the Tari codebase. O
 auditing guarantees that a codebase is bug-free. The intent is to demonstrate that the Tari community has taken all
 practical steps to produce a codebase that is secure and reliable, even in the absence of any guarantees.
 
-Let’s see what the next three months bring. We are quietly hopeful that the audit proceeds well.
+Let’s see what the next three months bring. We are quietly hopeful that the audit proceeds well.

_updates/2024-02-14-update-128.md

@@ -0,0 +1,88 @@
+---
+layout: update
+tag: Developer Update
+date: 2024-02-14
+author: CjS77   
+thumbnail: audit_bg.webp
+title: The Tari base layer audit report
+class: subpage
+---
+
+Welcome to Developer Update #10,000,000!
+
+Binary haters will say it's only number 128.
+
+## The Tari base layer audit
+
+We announced the start of Tari's base layer code audit way back in 
+[Developer update #112](/updates/audit-announcement/). 
+
+The review was completed in November 2023 -- a four-month effort -- and the audit report from Coinspect is now 
+[available](https://www.coinspect.com/tari-security-audit/), and we are happy to share it with the community.
+
+The audit covered around 60% of the most critical parts of the quarter million lines of Tari's base layer code.
+
+I must commend the incredible work done by the Coinspect team. The fact that they could take such a complicated 
+piece of software, break it down, and put their finger on so many high severity issues in a relatively short 
+period is testament to the expertise that was deployed on this audit.
+
+The architectural diagram they produced, I'm somewhat abashed to write, provides a clearer picture of information flow 
+between the Tari base layer subsystems than anything currently in our [doc stack](https://rfc.tari.com)! We may have 
+to commandeer this diagram for RFC-0111 going forward :)   
+
+![Tari base layer architecture](https://www.coinspect.com/assets/images/blog/tari-tm.png)
+
+## The audit process
+
+The Coinspect team worked independently of the Tari core developers, but we scheduled regular calls to share progress 
+and feedback as to the general themes of issues that were being discovered.
+
+For example, the auditors identified a cluster of issues around merge-mining. 
+There was another thematic cluster of issues concerning data handling which could lead to denial-of-service attacks.
+
+This early and regular feedback made it clear that we were missing multiple issues that had a common underlying cause. 
+After some investigation and multiple discussions, we identified several shortcomings in our review processes.
+
+The core developers then set about developing a 
+new set of [processes](https://pqri.org/wp-content/uploads/2015/08/pdf/HAZOP_Training_Guide.pdf) and 
+[guidelines](https://github.com/tari-project/tari/blob/ab8d96afa0808f6afe498e82172ac1475968a286/docs/src/reviewing_guide.md) 
+for managing code quality and started applying it both retroactively and to new code.
+
+The impact was immediate and the frequency of high-severity issues found by Coinspect started to drop off significantly.
+
+## The results
+
+Ultimately, there were quite a large number of high-severity issues (22) identified by the auditors, even considering 
+the size of the code base.
+
+Of note, there were zero **critical** issues identified.
+
+These issues have all been resolved and identified as such by Coinspect.
+
+<img src="/assets/updates/img/audit-issue-count.png" alt="Audit results" class="responsive-image">
+
+## Conclusion
+
+The fact that the core consensus code and blockchain systems have had an expert set of eyes cast over them aside, 
+the learnings taken from working with the Coinspect team and the subsequent improvements to the Tari code review 
+process are the most valuable aspect of the entire exercise.
+
+<img src="/assets/updates/img/audit.webp" alt="Auditing the block chains" class="responsive-image">
+
+I am quietly confident that when the time comes for the Layer Two audit, the steps that have been put in place will 
+be evident, and the concentration of findings will be severely reduced, even given that the layer 2 code is 
+completely new and, in many places, unique technology. 
+
+I'll let the Coinspect team have the last word, taking this quote from their 
+[blog post](https://www.coinspect.com/tari-security-audit/):
+
+> Tari is a great example of a bleeding-edge blockchain with several features that make it an interesting case study 
+with non-trivial vulnerabilities...
+Interactions with Tari during the audit process were superb. The development team showed understanding of the 
+issues encountered and promptly began the work to not only fix the reported issues but to implement recommended 
+security policies such as fuzzing. They have shown that security is a top concern for them and are committed to 
+continually decrease the risk for future users.
+
+
+
+