Throughout the previous year, the Ethereum Foundation has markedly expanded its team of committed security analysts and engineers. New members have joined from diverse backgrounds that include cryptography, security architecture, risk assessment, exploit development, as well as experience working on both red and blue teams. These individuals hail from various domains and have focused on securing everything from the internet services we rely on daily to national healthcare infrastructures and central banking systems.
As The Merge approaches, considerable effort from the team is devoted to examining, auditing, and researching the Consensus Layer in multiple ways, alongside The Merge itself. A representation of the work is presented below.
Client Implementation Audits 🛡️
Team members conduct audits on the various client implementations employing a range of tools and methodologies.
Automated Scans 🤖
Automated scans of codebases focus on identifying easily detectable issues such as dependency vulnerabilities (and possible vulnerabilities) or areas for enhancement in the code. Some of the static analysis tools utilized include CodeQL, semgrep, ErrorProne, and Nosy.
Considering the variety of languages employed across the clients, we utilize both generic and language-specific scanners for the codebases and images. These are interconnected through a system that processes and reports new discoveries from all tools into pertinent channels. These automated scans facilitate the rapid generation of reports regarding problems that potential adversaries are likely to identify easily, thereby enhancing the likelihood of resolving issues before they can be exploited.
Manual Audits 🔨
Manual audits of stack components represent another critical technique. These initiatives encompass auditing essential shared dependencies (BLS), libp2p, new features in hard forks (e.g., sync committees in Altair), a comprehensive inquiry into a specific client implementation, or examining L2s and bridges.
Furthermore, when vulnerabilities are reported via the Ethereum Bug Bounty Program, researchers can verify issues against all clients to ascertain if they are similarly impacted by the reported problem.
Third Party Audits 🧑🔧
Occasionally, third-party firms are enlisted to evaluate various components. Third-party audits are conducted to obtain external assessments on new clients, updated protocol specifications, forthcoming network enhancements, or anything else recognized as high-value.
During third-party audits, software developers and our security researchers collaborate with the auditors to provide education and assistance throughout the process.
Fuzzing 🦾
Numerous ongoing fuzzing initiatives are being led by our security researchers, client team members, and contributors within the ecosystem. Most of the tools are open source and operate on dedicated infrastructure. The fuzzers aim at critical attack surfaces such as RPC handlers, state transitions, and fork-choice implementations, amongst others. Additional endeavors include Nosy Neighbor (AST based auto fuzz harness generation), which is CI based and utilizes the Go Parser library.
Network level simulation and testing 🕸️
Our security researchers develop and utilize tools to simulate, test, and attack managed network environments. These tools can swiftly create local and external testnets (“attacknets”) configured for various scenarios that clients must be fortified against (e.g., DDOS, peer segregation, network degradation).
Attacknets provide an effective and secure setting to promptly evaluate different concepts/attacks in a controlled environment. Private attacknets are not observable by potential threats and enable us to experiment without disrupting the user experience of public testnets. In these settings, we frequently use disruptive strategies such as thread pausing and network partitioning to further broaden the scenarios.
Client and Infrastructure Diversity Research 🔬
Client and infrastructure diversity has garnered significant attention from the community. We have mechanisms in place to observe diversity from the perspectives of client, OS, ISP, and crawler statistics. Moreover, we analyze network participation rates, timing anomalies in attestations, and overall network health. This data is disseminated across numerous platforms to underscore any potential threats.
Bug Bounty Program 🐛
The EF currently operates two bug bounty initiatives; one focusing on the Execution Layer and another on the Consensus Layer. Security team members oversee incoming reports, validate their accuracy and significance, and then cross-check any concerns against other clients. Recently, we released a disclosure of all previously documented vulnerabilities.
Shortly, these two programs will be consolidated into one, the general platform will be enhanced, and additional incentives will be offered for bounty hunters. Stay tuned for further updates on this matter!
Operational Security 🔒
Operational Security encompasses numerous initiatives at the EF. For instance, asset monitoring has been established to consistently check infrastructure and domains for known vulnerabilities.
Ethereum Network Monitoring 🩺
A new Ethereum network monitoring system is currently under development. This system functions similarly to a SIEM and is designed to listen to andmonitor the Ethereum network for pre-defined detection protocols as well as adaptive anomaly identification that examines for abnormal occurrences. Once established, this framework will offer early alerts regarding network disruptions currently underway or impending.
Threat Evaluation 🩻
Our squad executed a threat evaluation centered on The Merge to pinpoint areas that can be enhanced in terms of security. During this effort, we gathered and reviewed security practices related to Code Reviews, Infrastructure Safeguarding, Developer Protection, Build Security (DAST, SCA, and SAST integrated into CI, etc.), Repository Security, and more from the client teams. Moreover, this evaluation examined methods for preventing misinformation, potential disasters, and how the community might recuperate in various scenarios. Some initiatives linked to disaster recovery drills are also of significance.
Ethereum Client Protection Group 🤝
As The Merge nears, we established a security group that comprises members from client teams engaged in both the Execution Layer and the Consensus Layer. This group will convene regularly to deliberate on security-related topics such as vulnerabilities, incidents, best practices, ongoing security efforts, recommendations, etc.
Incident Management 🚒
Blue Team initiatives assist in bridging the divide between the Execution Layer and the Consensus Layer as The Merge approaches. War rooms for incident management have proven effective in the past where discussions would emerge with relevant individuals during incidents, but with The Merge introduces new intricacies. Further efforts are being undertaken to (for instance) share tools, develop further debugging and triage capabilities, and generate documentation.
Thank you and participate 💪
These represent some of the initiatives currently underway in different forms, and we are eager to share even more with you in the future!
If you believe you’ve discovered a security vulnerability or any bug, please submit a bug report to the execution layer or consensus layer bug bounty programs! 💜🦄