How do you know Ethereum is safe?
As I write this, I’m sitting in my London office thinking about how I can provide a good overview of the work we’ve been doing to secure Ethereum’s protocol, clients, and p2p network. As you may remember, I joined the Ethereum team late last year to manage security audits. Now that spring is behind us, summer is approaching, and several audits have been completed, now is a good time to share the results of our inspections of the world’s computer machine rooms. 😉
It is clear that delivering products to customers is an exciting, yet highly complex research endeavor, as is the sophisticated product development process. The latter is why even the best-laid development schedules can change as we discover more about the problem area.
The security audit began late last year with the development of a general strategy to ensure maximum security for Ethereum. As you know, we have a security-focused development process rather than a schedule-focused development process. With this in mind, we have put together a multi-step audit approach consisting of:
- Analysis of new protocols and algorithms by existing blockchain researchers and professional software security companies
- End-to-end audit of protocols and implementation by a world-class professional security consulting firm (main audit for Go followed by C++ and educational Python clients)
- that much bug bounty program.
The analysis of new protocols and algorithms covered topics such as security:
- gas economics
- The newly designed ASIC-proof proof-of-work puzzle
- Economic incentives for mining nodes.
The “crowdsourced” audit component began around Christmas along with a bug bounty program. We have set aside an 11-digit satoshi amount to reward people who find bugs in the code. We saw very high quality submission Hunters who participated in our bug bounty program were rewarded accordingly. The bug bounty program is still live and additional submissions are needed to use up the allotted budget…
Security consulting firm Least Authority’s first major security audit (including gas economics and PoW puzzles) began in January and continued until the end of winter. We are pleased to agree with the majority of external auditors that the audit report will be made publicly available once the audit work and findings have been corrected. That’s why I’m excited to introduce least privilege with this blog post. audit report and accompany blog post. The report also includes helpful recommendations for ÐApp developers to ensure the secure design and deployment of their contracts. Additional reports will be posted as they become available.
We also partnered with another software security company earlier in the year to provide audit coverage of Go implementations. Given the increased security that comes with multiple clients, as Gav mentioned in a previous post, we’ve decided to offer simple security audits for Python and C++ audits starting in early July. C++ code will be fully audited immediately after: The goal of this approach is to have multiple auditable clients as quickly as possible during the release process.
We launched our “end-to-end audit” in February, our most comprehensive audit of a Go client yet. This audit followed a one-week workshop followed by several weeks of regular check-in calls and weekly audit reports. Audits were managed and thorough as part of a comprehensive process for tracking and fixing bugs. Tracked on Github Gustav coded the required tests together with Christoph and Dimitry.
As the name suggests, the scope of an end-to-end audit covers “everything” (from networking to Ethereum VMs, sync layers, and PoW), so at least one auditor will have cross-checked the various core layers of Ethereum . One of our consultants recently summarized the situation very succinctly: “To be honest, Ethereum’s testing requirements are more complex than anything I’ve seen before.” As Gav reports in his article: Past Blog Posts,Due to significant changes in our networking and synchronization ,strategy, we ultimately decided to commission additional audit ,work on Go. It is expected to be completed this week. End-to-end C++ and native Python auditing is now available.
Audit work, including subsequent bug fixes, regression testing, and related refactorings and redesigns (networking and synchronization layers), constitutes most of the work that currently keeps developers busy. Likewise, resulting modifications, redesigns, and regression testing cause delays in delivery. The Olympic testing phase also taught us a lot about resilience in different scenarios, such as slow connections, rogue peers, strangely behaving peers, and old peers. The biggest challenge so far has been fighting and recovering from the fork. We have learned a lot from our recovery attempts in terms of the processes required to deal with these types of scenarios and incidents.
It may not be surprising that multiple audits represent a significant expense. And we don’t think our money could be better invested.
As we get closer to launch, security and stability become more and more important, especially considering some significant issues discovered in the Olympic test release. We would like to express our deepest gratitude to all auditors for their passion and thorough work so far. Their work helped us refine the specifications of the Yellow Paper, remove ambiguities, resolve some nuanced issues, and identify several implementation bugs.