Today we would like to announce the start of a multi-vendor security assessment of the Nimbus Beacon Chain codebase! This assessment start is the result of the wonderful response we received from the initial Request for Proposal (RfP) sent out earlier this year. We spent a lot of time and thought pouring through the proposals we received and are very excited with what we have now. We are even more excited to share the findings and their mitigation as we come across them.
This assessment is structured a little bit differently than the average "security audit" you may read about, in that it is spread across multiple vendors, it is over a longer period of time, and is more open for the public to follow. We at Status have attempted to craft a more open, collaborative, and sustainable relationship with those that assess our codebase.
Here's the rundown of how things are starting.
In a nutshell, we have 3 separate 3rd party security vendors spread out across the scope described in the initial RfP. One of the 3 vendors was also chosen as a "champion." This champion assumes additional support roles with respect to coordination, information dissemination, and administration of the issues found during the process.
Here are the chosen vendors and a bit about them.
ConsenSys Diligence is excited for the opportunity to champion the audit of the Nimbus ETH2.0 client. As part of ConsenSys our mission includes enabling the security and success of ETH2.0, and provides us access to leading researchers in the space including engineers from PegaSys and ConsenSys RnD.
NCC Group has a twenty-year proven track record of providing scanning and penetration testing services on a global scale to thousands of clients. Our background, expertise, and skills have been major factors in our continued success. NCC Group is a full service security company supporting clients from all sectors around the world. We are a trusted partner to the world’s largest and most complex organizations, across its 3 divisions - Escrow, Domain Services and Consultancy.
NCC Group’s specialized Cryptography Services Division team specializes on novel cryptographic implementation and design assessments across a range of areas such as open-source cryptography projects, embedded devices, post-quantum cryptography, block-chain ecosystems, smart contract execution environments, authentication mechanisms, encryption tools and custom protocol reviews. Our Cryptography Services also devote significant time to cryptography research across multiple areas and regularly present and deliver cryptography training.
Trail of Bits
Trail of Bits is a full-service security firm, with specialized expertise in blockchain, cryptographic, and application security reviews. Resources from across our internal security engineering, software engineering, and cryptography teams will be available as needed for the duration of the assessment. Trail of Bits intends to deliver not just a list of bugs, but guidance, continuous support, and custom tooling when necessary to enhance the security posture of the system and its intended use case.
Scope and Assignment
Each of the vendors have been selected to focus on a selection of subtopics of the original scope. This is an attempt to reduce redundant work across parties and increase the effective amount of time looking for vulnerabilities.
As a recap, the assessment is planned to be done over 3 separate stages over a total of 4 months. Each stage is comprised of focused vendor assessment of a specific section of the codebase, followed by a period of time for the Nimbus team to respond and fix issues discovered, and finally a small time period for vendor verification of the respective responses. The stages are as follows (subtopics can be found in original RfP linked above):
- Network core (leveraging the libp2p framework)
- ETH2 Specification core
- Validator core and user experience
ConsenSys was assigned subtopics equally across all 3 assessment stages. As a vendor that was assigned a workload distributed across all three stages of the assessment, in conjunction with their connection to the Ethereum ecosystem at large, ConsenSys was also chosen as the "champion" to help facilitate efficient communication across all parties involved.
NCC was assigned the subtopics which involved the heaviest amount of cryptography. Thus, they are spread across all three stages, but more heavily involved with stages 1 and 3
Trail of Bits was assigned the lion's share of subtopics within stage 2 of the assessment, with nothing in stage 1 and a smaller assignment in stage 3.
The Disclosure Process
ETH2.0 development is an open and ongoing process across many implementations, as well as the Ethereum Foundation itself. In other words, it is a highly collaborative process. To this end, we have shaped this assessment to encourage collaboration and transparency across all interested parties.
Each of the vendors will approach issue disclosures in much the same way they would report bugs and findings to any open source project they were interested in, through Github Issues. In order to track things, we have created a process that describes the appropriate labeling and information that should be included.
Since the ETH2.0 beacon chain is not in production at this point, we feel that submitting and responding to issues in the public repositories is perfectly reasonable and promotes transparency and collaboration without drastically increasing the process burden on any of the teams involved. This also leaves a very easy "audit trail" to follow later down the line.
Throughout the assessment, Both Status and ConsenSys will work together to compile issues found and the relevant information surrounding them. This will both serve as a summary report to facilitate internal communication and an outward communication for those that would like to follow and learn along with us.
The specific format and frequency of these summaries is yet to be determined, but will at the very least follow each phase conclusion so that the beginning of the next phase starts off with all the relevant information at hand.
We are very excited to start this assessment and look forward to the lessons learned as well as a more hardened codebase. The format of this endeavor is an attempt at fostering long-term relationships with the security community and is an experiment. We would like to thank the vendors chosen for their willingness to work with us through this process, as there will be coordination bumps along the way. We hope that the process used at the end is one that can be duplicated by other projects, and in the end fosters a strong relationship between the broader security community and open-permissionless blockchain networks.
Stay tuned for more!