Skip to content

ethereum/protocol-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 

Repository files navigation

Protocol Security Research Team

logo

The Protocol Security Research team is one piece of the large puzzle that helps safeguard Ethereum’s integrity. It is a public good team funded by the Ethereum Foundation with ~10 people who each possess different areas of expertise and experience. Through coordination, meticulous code reviews, developing and utilizing advanced tooling, and running real-world simulations, our focus is on securing the network and its critical components. Our hands-on approach includes managing the bug bounty program, continuously monitoring the network, and collaborating with client teams and many other teams in the ecosystem. We’re committed to identifying and mitigating risks to Ethereum network. The Protocol Security Research team is often not the most visible team in public, both due to the nature of what we work on, but also as we primarily try to help empower people in the ecosystem.

Coordination & Collaboration

We spend time coordinating and collaborating with many parts of the ecosystem in order to further help keep Ethereum safe. Some of the things we do are:

  • Vulnerability coordination and collaboration with L2s, L1s, critical dependencies and more for security issues
  • Protocol Security call series
  • Coordination and collaboration with external security auditors for protocol related audits
  • Security coordination and collaboration with client teams and critical dependencies
  • Coordination and collaboration with researchers from the Ethereum ecosystem, academia and security
  • Collaboration with teams such as EF Devops and EF Testing
  • Ongoing collaboration and support for grantees
  • Support public good projects related to security
  • Writing the "Secured" series on the EF Blog
  • Host security challenges such as the Ethereum Protocol Attackathon

Bug Bounty Program

The Protocol Security Research team manages the Ethereum Foundation Bug Bounty Program. We receive reports, triage, provide input, pay bounty rewards and coordinate public disclosures. The bug bounty program covers Ethereum specifications, Ethereum clients, the Solidity compiler and more.

We also keep a public repository of past results

Grants

We feel that providing resources and funding to security grants is impactful and valuable to the ecosystem. In our opinion, providing funding is often critical, however we also provide our own time as a resource in order to further help projects be successful. Some of the grants we work on are:

Fuzzing

There is a finite amount of time for manual audits, so we build, maintain and use fuzzers to increase the likelihood of finding vulnerabilities. Many severe vulnerabilities have been found by these fuzzers, and then patched by client teams before they could be found and exploited by a malicious actor.

  • Execution Layer
  • Consensus Layer
    • Nosy
    • Private fuzzers
  • Solidity Compiler
    • Private fuzzers
  • Network Layer (devp2p (discv4, discv5, ENR, RLP, ...), libp2p)
    • Private fuzzers
  • JSON-RPC
    • Private fuzzer
  • Account Abstraction
    • Private fuzzer
  • Full Stack
  • Cryptographic libraries
  • Critical Dependencies
    • Private Fuzzers

Manual Reviews

We spend a lot of time manually reviewing specifications, clients and critical dependencies. Upcoming changes for hardforks are always being continually reviewed and prioritized.

Research

Many hours are spent on security research related to the Ethereum ecosystem. As a some of this research could potentially pose a threat, the specific research results may often not end up as public research, but the outcome of the research is rather used to help further secure the Ethereum ecosystem through improvements. A few examples of research topics are:

  • Client Diversity
  • /dev/random Diversity
  • ZK security research
  • Threat Analysis
  • Risk Assessments
  • L2s
  • Cryptography

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published