In the past year, the Ethereum Foundation has significantly expanded its team of dedicated security researchers and engineers. These team members come from various backgrounds such as cryptography, security architecture, risk management, exploit development, and experience in red and blue teams. They have worked on securing a wide range of systems, including internet services, national healthcare systems, and central banks.
As The Merge approaches, the team is focused on analyzing, auditing, and researching the Consensus Layer and The Merge itself. Here are some examples of the work being done:
Client Implementation Audits 🛡️
The team conducts audits on various client implementations using a variety of tools and techniques.
Automated Scans 🤖
Automated scans using tools like CodeQL, semgrep, ErrorProne, and Nosy are performed to identify low hanging fruit vulnerabilities, dependency vulnerabilities, and areas for code improvement. These scans cover codebases and images for different languages used in the clients. Reports from all tools are analyzed and reported through an interconnected system, allowing for quick identification and resolution of potential issues before they can be exploited.
Manual Audits 🔨
Manual audits are conducted on critical shared dependencies, new functionality in hardforks, specific client implementations, and L2s and bridges. Vulnerabilities reported through the Ethereum Bug Bounty Program are also cross-checked against all clients.
Third Party Audits 🧑🔧
Third party firms are occasionally engaged to audit various components such as new clients, updated protocol specifications, upcoming network upgrades, and other high-value areas. During these audits, the auditors collaborate with software developers and the Ethereum security team.
Ongoing fuzzing efforts are led by the security researchers, client teams, and contributors. Open source fuzzing tooling is used to target critical attack surfaces such as RPC handlers, state transition, and fork-choice implementations.
Network level simulation and testing 🕸️
Tools are developed to simulate, test, and attack controlled network environments. These tools allow for quick testing of exotic scenarios that clients must be hardened against, such as DDOS, peer segregation, and network degradation. Private attacknets provide a safe environment for testing different ideas and attacks without disrupting the public testnets.
Client and Infrastucture Diversity Research 🔬
Diversity in client and infrastructure is closely monitored using tools that track client, OS, ISP, and crawler statistics. Network participation rates, attestation timing anomalies, and general network health are also analyzed to identify potential risks.
Bug Bounty Program 🐛
The Ethereum Foundation hosts two bug bounty programs targeting the Execution Layer and the Consensus Layer. The security team verifies and cross-checks incoming vulnerability reports and publishes disclosures of previously reported vulnerabilities. The programs will soon be merged into one with improved platform and increased rewards.
Operational Security 🔒
Operational security efforts include asset monitoring of infrastructure and domains for known vulnerabilities.
Ethereum Network Monitoring 🩺
A new Ethereum network monitoring system is being developed to listen to and monitor the Ethereum network for detection rules and anomaly detection. This system will provide early warnings about network disruptions.
A threat analysis focused on The Merge is conducted to identify areas for improvement in security. This includes auditing security practices, preventing misinformation, preparing for potential disasters, and planning for disaster recovery.
Ethereum Client Security Group 🤝
A security group consisting of members from client teams is formed to discuss security matters, vulnerabilities, incidents, best practices, and ongoing security work.
Incident Response 🚒
Efforts are made to improve incident response as The Merge approaches. This includes tools for sharing, debugging, and triaging incidents, as well as creating documentation.
Thank you and get involved 💪
These are some of the ongoing efforts in the Ethereum security ecosystem. If you have discovered a security vulnerability or bug, please submit a bug report to the bug bounty programs for the Execution Layer or the Consensus Layer!