/protocol-security

Primary LanguageTypeScriptMIT LicenseMIT

Protocol Security Research

The Protocol Security Research team is one piece of the large puzzle that helps safeguard Ethereum’s integrity. It is a public good team funded by the Ethereum Foundation with ~10 people who each possess different areas of expertise and experience. Through coordination, meticulous code reviews, developing and utilizing advanced tooling, and running real-world simulations, our focus is on securing the network and its critical components. Our hands-on approach includes managing the bug bounty program, continuously monitoring the network, and collaborating with client teams and many other teams in the ecosystem. We’re committed to help identifying and mitigating risks to Ethereum network. The Protocol Security Research team is often not the most visible team in public, both due to the nature of what we work on, but also as we primarily try to help empower people in the ecosystem.

Coordination & Collaboration

We spend time coordinating and and collaborating with many parts of the ecosystem in order to further help keep Ethereum safe. Some of the things we do are:

  • Vulnerability coordination and collaboration with L2s, L1s, critical dependencies and more for security issues
  • Protocol Security call series
  • Coordination and collaboration with external security auditors for protocol related audits
  • Security coordination and collaboration with client teams and critical dependencies
  • Coordination and collaboration with researchers from the Ethereum ecosystem, Academia and Security
  • Collaboration with teams such as Devops and Testing
  • On-going collaboration and support for grantees
  • Support public good projects related to security
  • Writing the "Secured" series on the EF Blog

Bug Bounty Program

The Protocol Security Research team manage the Ethereum Foundation Bug Bounty Program. We receive reports, triage, provide input, pay bounty rewards and coordinate public disclosures. The bug bounty program cover the Protocol, Clients, the Solidity compiler and more.

We also keep a public repository of past results

Grants

We feel that providing resources and funding to security grants is impactful and valuable to the ecosystem. In our opinion, providing funding is often critical, however we also provide our own time as a resource in order to further help projects be successful. Some of the grants we work on are:

Fuzzing

There is a finite amount of time for manual audits, so we build, maintain and use fuzzers to increase the likelihood of finding vulnerabilities. Many severe vulnerabilities have been found by these fuzzers, and then patched by client teams before they could be found and exploited by a malicious actor.

  • Execution Layer
  • Consensus Layer
    • Nosy
    • Private fuzzers
  • Solidity Compiler
    • Private fuzzers
  • Network Layer (devp2p (discv4, discv5, ENR, RLP, ...), libp2p)
    • Private fuzzers
  • JSON-RPC
    • Private fuzzer
  • Account Abstraction
    • Private fuzzer
  • Full Stack
  • Cryptographic libraries
  • Critical Dependencies
    • Private Fuzzers

Manual Reviews

We spend a lot of time manually reviewing specifications, clients and critical dependencies. Upcoming changes for hardforks are always being continually reviewed and prioritized.

Research

Many hours are spent on security research related to the Ethereum ecosystem. As a some of this research could potentially pose a threat, the specific research results may often not end up as public research, but the outcome of the research is rather used to help further secure the Ethereum ecosystem through improvements. A few examples of research topics are:

  • Client Diversity
  • /dev/random Diversity
  • ZK security research
  • Threat Analysis
  • Risk Assessments
  • L2s
  • Cryptography