The Protocol Security Research team is one piece of the large puzzle that helps safeguard Ethereum’s integrity. It is a public good team funded by the Ethereum Foundation with ~10 people who each possess different areas of expertise and experience. Through coordination, meticulous code reviews, developing and utilizing advanced tooling, and running real-world simulations, our focus is on securing the network and its critical components. Our hands-on approach includes managing the bug bounty program, continuously monitoring the network, and collaborating with client teams and many other teams in the ecosystem. We’re committed to identifying and mitigating risks to Ethereum network. The Protocol Security Research team is often not the most visible team in public, both due to the nature of what we work on, but also as we primarily try to help empower people in the ecosystem.
We spend time coordinating and collaborating with many parts of the ecosystem in order to further help keep Ethereum safe. Some of the things we do are:
- Vulnerability coordination and collaboration with L2s, L1s, critical dependencies and more for security issues
- Protocol Security call series
- Coordination and collaboration with external security auditors for protocol related audits
- Security coordination and collaboration with client teams and critical dependencies
- Coordination and collaboration with researchers from the Ethereum ecosystem, academia and security
- Collaboration with teams such as EF Devops and EF Testing
- Ongoing collaboration and support for grantees
- Support public good projects related to security
- Writing the "Secured" series on the EF Blog
- Host security challenges such as the Ethereum Protocol Attackathon
The Protocol Security Research team manages the Ethereum Foundation Bug Bounty Program. We receive reports, triage, provide input, pay bounty rewards and coordinate public disclosures. The bug bounty program covers Ethereum specifications, Ethereum clients, the Solidity compiler and more.
We also keep a public repository of past results
We feel that providing resources and funding to security grants is impactful and valuable to the ecosystem. In our opinion, providing funding is often critical, however we also provide our own time as a resource in order to further help projects be successful. Some of the grants we work on are:
- Provide and support Academic Grants through funding and resources
- We support the Ethereum Protocol Fellowship by providing resources
- We provide resources for the Devcon(nect) Scholars
- We provide funding and resources for General Security Grants
- Grants for various security efforts, such as The Red Guild, Security Alliance, or fuzzers created by external people such as Guido Vranken
There is a finite amount of time for manual audits, so we build, maintain and use fuzzers to increase the likelihood of finding vulnerabilities. Many severe vulnerabilities have been found by these fuzzers, and then patched by client teams before they could be found and exploited by a malicious actor.
- Execution Layer
- goevmlab
- tx-fuzz
- FuzzyVM
- merge-fuzz
- Nosy
- Various cryptography & EVM fuzzers
- Private fuzzers
- Consensus Layer
- Nosy
- Private fuzzers
- Solidity Compiler
- Private fuzzers
- Network Layer (devp2p (discv4, discv5, ENR, RLP, ...), libp2p)
- Private fuzzers
- JSON-RPC
- Private fuzzer
- Account Abstraction
- Private fuzzer
- Full Stack
- Attacknet (built from grant)
- Antithesis (service provider)
- Cryptographic libraries
- Critical Dependencies
- Private Fuzzers
We spend a lot of time manually reviewing specifications, clients and critical dependencies. Upcoming changes for hardforks are always being continually reviewed and prioritized.
- Specifications (EL / CL)
- Clients
- Network libraries
- Hardforks
- CL / EL side
- EIPs
- EOF
- 4444
- PeerDAS
- 7702 (txpool)
- ...
- Critical Dependencies
- Static Analysis
- Cryptographic libraries
Many hours are spent on security research related to the Ethereum ecosystem. As a some of this research could potentially pose a threat, the specific research results may often not end up as public research, but the outcome of the research is rather used to help further secure the Ethereum ecosystem through improvements. A few examples of research topics are:
- Client Diversity
- /dev/random Diversity
- ZK security research
- Threat Analysis
- Risk Assessments
- L2s
- Cryptography