Earlier this year, we launched a bug bounty program focused on finding problems in the beacon chain specification and/or client implementations (Lighthouse, Nimbus, Teku, Prysm, etc.). The results (and vulnerability reports) have been illuminating, as have the lessons learned while fixing potential issues.
In this new series, our goal is to explore and share some of the insights we’ve gained from security work to date and as we move forward.
This first post will look at some of the submissions specifically targeted at BLS primitives.
Disclaimer: All the bugs mentioned in this post have already been fixed.
BLS is everywhere
a few years ago, Diego F. Aranha gave a talk at the 21 Elliptic Curve Cryptography Workshop with the title: Pairings are not dead, just resting. How prophetic.
Here we are in 2021, and pairings are one of the main players behind many of the cryptographic primitives used in the blockchain space (and beyond): BLS added signatures, ZK-SNARKS systems, etc.
Development and standardization work related to BLS signatures has been an ongoing project for EF researchers for some time now, driven in part by justin drake and summarized in a recent post of yours on reddit.
latest and greatest
Meanwhile, there have been many updates. BLS12-381 is now universally recognized as the matchmaking curve To be used given our current knowledge.
Three different IRTF drafts are currently in development:
Also, the beacon chain specification it has matured and is already partially deployed. As mentioned above, BLS signatures they are an important piece of the puzzle behind proof-of-stake (PoS) and beacon chain.
Recent Lessons Learned
After collecting submissions directed to the BLS primitives used in the consensus layer, we can divide the reported errors into three areas:
- IRTF Oversight Projects
- Implementation errors
- IRTF Draft Implementation Violations
Let’s zoom in on each section.
IRTF Oversight Projects
One of the reporters, (Nguyen Thoi Minh Quan), found discrepancies in the IRTF draftand published two white papers with findings:
While specific inconsistencies are still subject to to discussfound some interesting implementation affairs while doing his research.
Implementation errors
guido franken was able to discover several “small” problems in BLST wearing differential fuzzing. See examples of the following:
He capped this off with the discovery of a moderate vulnerability affecting the BLST function blst_fp_eucl_inverse.
IRTF Draft Implementation Violations
A third category of error was related to IRTF draft implementation violations. The first affected prism client.
To describe this, we must first provide some context. He BLS signatures The IRTF draft includes 3 schemes:
- basic outline
- increase in messages
- proof of possession
He prism client doesn’t make any distinction between the 3 in its API, which is unique between implementations (e.g. py_ecc). A peculiarity about the basic outline is quoting verbatim: ‘This function first ensures that all messages are distinct’ . This was not assured in the AddedVerify function. Prysm fixed this discrepancy by disapproving of the use of AddedVerify (which is not used anywhere in the beacon chain specification).
A second problem hit py_ecc. In this case, the serialization process described in the ZCash BLS12-381 Specification which stores integers always within the range of (0,p-1). He py_ecc implementation did this verification for the G2 group of BLS12-381 only for the real part but did not perform the modulo operation for the imaginary part. The issue was fixed with the following pull request: Insufficient validation on deserialization decompress_G2 in py_ecc.
Ending
Today, we take a look at the BLS-related reports we’ve received as part of our bug bounty programbut this is definitely not the end of the story for security work or for BLS related adventures.
Us strongly encourage you to help ensure that the consensus layer continues to grow more securely over time. With that, we look forward to hearing from you and encourage you to DIG! If you believe you have found a security vulnerability or bug related to the beacon chain or related clients, submit a bug report! 💜🦄
