As I write this, I’m sitting in the London office thinking about how to give you a good overview of the work we’ve been doing to secure Ethereum’s protocols, clients, and p2p network. As you may recall, I joined the Ethereum team late last year to manage the security audit. As spring has passed and summer has come and various audits have finished in the meantime, now is a good time to share some results of the world computer engine room inspection. 😉
This much is clear, as much as customer delivery is an elaborate product development process, it is an exciting but highly complex research effort. The latter is why even the best planned development schedule is subject to change as we discover more about our problem domain.
The security audit began late last year with the development of an overall strategy to ensure maximum security for Ethereum. As you know, we have a security-driven development process, rather than a schedule. With this in mind, we have developed a multi-tiered audit approach consisting of:
- Analysis of new protocols and algorithms by established blockchain researchers and specialized software security companies.
- Comprehensive audit of protocols and implementation by a world-class expert security consultancy (Go followed by C++ and a basic audit for the educational Python client), as well as
- He bug bounty program.
The analyzes of the new protocols and algorithms covered topics such as the security of:
- The economy of gas
- The new ASIC-resistant proof-of-work puzzle, as well as
- The economic incentive of mining nodes.
The “crowdsourced” audit component started around Christmas along with our bug bounty program. We had set aside an 11-digit satoshi amount to reward people who found bugs in our code. We have seen very high quality. shipments to our bug bounty program and hunters received the corresponding rewards. The bug bounty program is still running and we need more submissions to exhaust the allocated budget…
The first major security audit (covering gas economics and the PoW puzzle) by security consultancy Least Authority kicked off in January and continued through the end of winter. We are very pleased to have agreed with the majority of our external auditors that those audit reports will be publicly available once the audit work and fixation of the findings are complete. So, along with this blog post, we are delighted to introduce the Minimum Authority audit report and accompanying blog post. In addition, the report contains useful recommendations for ÐApp developers to ensure secure contract design and implementation. We hope to publish more reports as they become available.
We also engaged another software security firm earlier in the year to provide audit coverage on the Go implementation. Given the increased security that comes with multiple clients and as Gav mentioned in his previous post, we have also decided to give the Python and C++ audit a light security audit starting in early July. The C++ code will receive a full audit immediately after: Our goal with this approach is to ensure that multiple audited clients are available as early as possible during the launch process.
We kicked off this extensive Go customer audit, also known as the “end-to-end audit,” in February with a week-long workshop that would be followed by weeks of regular verification calls and weekly audit reports. The audit was incorporated into a comprehensive process for tracking and correcting errors, was managed and tracked on Github by Gustav with Christoph and Dimitry coding the corresponding required tests.
As the name implies, the end-to-end audit was focused on covering “everything” (from networks to Ethereum VM to the PoW sync layer) so that at least one auditor had verified the various core layers of Ethereum. One of the consultants recently summed up the situation quite succinctly: “To be honest, Ethereum’s testing needs are more complex than anything I’ve seen before.” As Gav reported in his latest blog postDue to the significant changes in the networking and synchronization strategy, we finally decided to commission more audit work for Go, which we are about to finish this week. The start of comprehensive audits of C++ and basic Python is taking place now.
Audit work with subsequent bug fixing and regression testing, as well as related refactoring and redesign (of the network layer and synchronization) make up the bulk of the work that keeps developers busy right now. Also, fixing findings, redesign, and regression testing are the reason for late delivery. Also, the Olympic testing phase has taught us a lot about resilience in various scenarios such as slow connections, bad partners, partners behaving strangely, and outdated partners. The biggest challenge so far has been fighting and recovering from the forks. We learned a lot from the recovery attempts in terms of the processes required when it comes to dealing with these types of scenarios and incidents.
It may not come as a surprise that the various audits represent a significant expense, and we believe it is money that could not be better spent.
As we get closer to launch, safety and reliability are increasingly on our minds, particularly given the handful of critical issues found in the Olympic test launch. We are very grateful for the enthusiasm and thorough work that all the auditors have done so far. Their work helped us refine the specification in the Yellow Book and to remove ambiguity and fix several subtle issues, and helped identify a number of implementation bugs.
