Throughout Over the past year, the Ethereum Foundation has greatly increased the number of security engineers and researchers it employs. From a wide variety of backgrounds, such as security architecture, cryptography, and exploit development, these members have been hard at work securing services that we all rely on every day, from national health systems to central banks.
As The Merge approaches, the team has invested heavily in analyzing, auditing, and investigating the consensus layer in various ways. Below is a sample of the work.
Client Implementation Audits 🛡️
Team members audit various customer implementations using a variety of techniques and tools.
Automated Scans🤖
Automated codebase scans are designed to identify weaknesses in code (and potential vulnerabilities) and areas that can be improved. CodeQL, semgrep, ErrorProne, and Nosy are just a few of the tools that can be used for static analysis.
Since different languages are used between clients, we use generic and language-specific scanners for codebases and images. These scans are connected through a system that analyzes and reports on new findings from all relevant tools, allowing for quick reports to be generated on potential vulnerabilities to be fixed before they are exploited.
Manual Audits 🔨
Manual Audits of stack components are another important technique. Auditing of critical shared dependencies such as BLS, libp2p, and new functionality for hardforks are some of the efforts. Audits of a specific client implementation, or audits of L2 and bridging are also conducted.
When vulnerabilities are reported through this website, the Ethereum Program for Bug Bounty cross-references customer issues to determine if any other customers are affected by the reported problem.
Third-Party Auditors 🧑🔧
Sometimes third-party firms are employed to audit components. To gain insights from the outside, such as new customers or updated protocol specifications, future network upgrades, and any other information that may be valuable, third-party audits can be used.
During third-party audits, our team’s security researchers and software developers work with auditors to educate and support them at all times.
Fuzzing 🦾
Our security researchers, customer team members, and other members of the community are performing ongoing fuzzing activities. Most of these tools are open-source and run on dedicated infrastructure. Fuzzers target critical attack surfaces, such as RPC handlers or state transition and branch option implementations. Additional efforts include Nosy Neighbor (AST-based automated fuzz harness generation), which is built on CI and Go Parser library.
Network-level Tests and Evaluations 🕸️
Security researchers on our team use tools to simulate, test, and attack controlled network environments. These tools allow for quick activation of testnets, both local and external (“attacknets”), running in different configurations to test exotic scenarios that customers need to be protected against (e.g. DDOS, peer segregation, network degradation).
