Audit of LF Energy PowSyBl Ensures Security of Power Systems Tool
LF Energy is pleased to announce the publication of a comprehensive security audit of the PowSyBl project, conducted by Ada Logics and coordinated by the Open Source Technology Improvement Fund (OSTIF). This audit was funded by LF Energy as part of our ongoing commitment to improving the security and resilience of the open source software that underpins the energy transition.
PowSyBl (Power System Blocks) is an open source library dedicated to modeling, simulating, and analyzing electrical power systems. It plays a critical role in the modernization of grid operations and planning, particularly in the context of integrating renewable energy resources.
Key Findings and Outcomes
The audit, conducted over five weeks in March and April 2025, included:
- Threat modeling of the PowSyBl architecture and its deployment environments.
- Manual auditing of 13 core PowSyBl repositories.
- Development and integration of fuzz tests covering over 50 target APIs into Google’s OSS-Fuzz, enabling continuous testing for future vulnerabilities.
- Nine security issues were discovered and resolved, including:
- Three moderate-severity issues:
- Polynomial ReDoS (Regular Expression Denial of Service) vulnerabilities,
- XXE/SSRF attacks via XML parsing,
- Insecure deserialization in the SparseMatrix class.
- Six low-severity issues related to input validation and error handling.
- Three moderate-severity issues:
All issues identified in the audit have been resolved by the PowSyBl maintainers. These fixes have strengthened the security posture of the project and improved its robustness for real-world deployments.
Why Security Audits Matter
As open source software continues to form the backbone of digital infrastructure – including energy systems – its security must be treated as a top priority. Security audits help identify vulnerabilities before they can be exploited, build trust among users, and ensure safe adoption across industry.
This audit exemplifies the importance of collaboration between open source communities, specialized security firms like Ada Logics, and coordination entities such as OSTIF. It also underscores LF Energy’s commitment to secure, production-grade tooling for the future of energy.
Continuous Security
Beyond fixing current vulnerabilities, the integration of PowSyBl into OSS-Fuzz enables ongoing security testing. Any future regressions or newly introduced issues will be automatically flagged and addressed, helping ensure long-term resilience.
Read the Full Report
The full audit report, including detailed findings, proof-of-concept examples, and recommended mitigations, is available here.
You can also read OSTIF’s blog post about the audit process here.
