Least Authority audited ETH 2.0’s during January at the request of the Ethereum Foundation. The firm worked alongside the Foundation throughout the process and compiled the final version of the report on March 6.
Ethereum Foundation commissions Least Authority to audit ETH 2.0
The security firm reviewed the core ETH 2.0 specs for phase 0, the Beacon Chain specs, and Beacon Chain Fork Choice documents, peer-to-peer (P2P) networking documentation, the Honest Validator specifications, and the documentation for the Go Implementation of ETH 2.0.
The report notes that while specific aspects of ETH 2.0’s design can be reviewed, “the collective system may not behave as intended.”
Report highlights risks to block proposers
While the report found the ETH 2.0 specs to be “very well thought out and comprehensive,” noting that “security had been a strong consideration during the design phase,” Least Authority highlights concerns regarding the P2P layer and risks to block proposers.
The researchers assert that the network specifications make it a fairly easy task for block validators to establish the IP addresses of other validators.
With the documentation implying block proposers are public knowledge, the firm is concerned that an attacker may seek to strategically execute denial-of-service (DDoS) attacks.
The report also warns that an attacker could wield a large volume of nodes to launch a targeted attack on block proposers.
Least Authority notes concerns regarding P2P networking protocol
The security firm asserts that the documentation surrounding ETH 2.0’s P2P and Ethereum node records (ENR) systems is lacking, emphasizing that they were “unable to conclude how the P2P system incorporates the ENR system.”
A “spam problem” is also identified in the protocol’s P2P messaging system. The report warns that the absence of a centralized entity overseeing nodes’ actions opens up the possibility of a dishonest node attempting to overwhelm the network with an unlimited number of old block messages while incurring little penalty.
“This type of attack would slow down or potentially halt network processing for the duration it was carried out,” the findings conclude.
The report also highlights concerns regarding “misaligned gossip incentives” and the lack of “BAR-resilient gossip protocol,” and urges the Ethereum foundation to seek regular peer reviews of its code.
Of the 10 issues identified in the firm’s final report, two have since been resolved, and one has been determined to have been an invalid issue.
Security vulnerability identified among Ethereum Dapp wallets
On March 23, crypto wallet provider ZenGO announced it had built a testnet to highlight a major security flaw pervading decentralized applications (Dapp) wallets — urging wallet providers to make users aware of the vulnerability.
ZenGo’s testnet demonstrates how through authorizing a single transaction between a user’s wallet and a Dapp’s smart contract grants the application authorization to access all funds held within that wallet.