Security & Code audits

[lehnberg]

This is a work in progress. Feedback / suggestions etc please provide in the comment field and I will update.

---

Introduction

As per 2.2 of Sep 25 Governance meeting, it is desired that Grin undergoes thorough audits by third parties external to the project. The functionality of the protocol and applied cryptography should be reviewed, as well as the actual code of the implementation. Both academic or publicly funded researchers and institutions should be invited to participate, as well as private contractors.

Status as of Oct 19 2018

• @Catheryne has taken the lead and is reaching out to potential auditors to enquire about interest and to obtain time/fee estimates (see below section).
• Next scheduled discussion of topic is the Oct 23 Governance meeting @ 15:00 UTC.
• Current open points:
  • How to engage auditors for the services agreement (contract), scope of work (SoW), and for invoicing (payment), particularly how to pay if they do NOT accept crypto. Because Grin does not have an entity / legal structure, these things are a bit of a challenge. Using a non-profit such as OSTIF as an intermediary is a potential solution, @Catheryne is investigating.
  • Fundraising for security audit, which currently has not raised any significant amounts.

Potential auditors and status

Firms

Name	Accepts crypto?	Requires legal entity to contract?	Quote	Description
NCC	No	Yes		Notable projects are ZCash on CTs, Ripple, Google. https://medium.com/ontologynetwork/ontology-uses-cryptography-experts-ncc-group-to-review-blockchain-infrastructure-bb1fca1d8887 https://blog.z.cash/2018-zcash-security-audit-details/ https://www.nccgroup.trust/us/our-research/zcash-cryptography-and-code-review/
Kudelski	Yes, but at a premium.			Did audit of bulletproofs for Monero w/Quarkslab.
Quarkslab	Waiting to hear back		~30 days @ $1650/day ($49.5k)	Did audit of bulletproofs for Monero w/Kudelsiki. https://blog.quarkslab.com/category/cryptography.html
x-41-dsec	No	They recommended working with OSTIF as an intermediary organization, we're being intro'd.	Scoping to provide an estimate.	Recently completed an audit of theQRL (Quantum Resistant Ledger).
Coinspect	Yes		~320 hours @$250 ($80k) for entire code base + cryptolib
TrailofBits
Least Authority
Commonwealth Crypto

Individuals

Name	Institution	Area	Status
Dan Boneh	Stanford	Bulletproofs	Does not have time to help
@bbuenz	Stanford	Bulletproofs	would like to limit the scope to the implementation of Bulletproofs (using the libsecp library)
@cathieyun	Interstellar, formally Chain	Bulletproofs	would like to limit the scope to the implementation of Bulletproofs (using the libsecp library)
Neha Narula	MIT	Audit best practices	circulating it with her team to see who and what they might be able to help with
Mary Maller	University College London	if her work on zk-SNARKs would translate to helping audit Grin	Replied she's not a developer and does not feel she has the skillset for audits.
Andrew Miller	U of Illinois UC	Dandelion	Too busy
**Shailesh Bojja Venkatakrishnan	U of Illinois UC	Dandelion	not too familiar with the actual code, so can't help
@gfanti	Carnegie Mellon	Dandelion	Too busy, won't be able to help
@EthanHeilman			Replied that he does like to do audits but no time these days.

Brief

When is the code estimated to be available for audit?

Current wide range is 2 weeks (aggressive) to 3 months (with lots of time).

What is the deadline for audits to be completed?

What parts of the project should be audited?

Current thinking: At least entire repo + supporting secp256k1 libs. Potentially base the audit based off of a branch of T4.

Are there any particular aspects to focus on?

For example DDoS, consensus, hidden inflation, privacy leaks, etc.

What's the deliverable?

How should the auditors present their findings?

What's the work process?

Perhaps developers doing an initial brief to auditors and hosting Q&As / walkthroughs?
Are the auditors providing progress updates?

How is the effort funded?

Crowd-fund campaign? Auditors paid in crypto? We raise a lump-sum, or break down audits to granular level? etc.

[Catheryne]

These are the folks from various universities whom I have contacted to date, for what, and status/comments on each:

1. Dan Boneh (Stanford) for bulletproofs - he does not have time to help but did recommended @bbuenz and suggested NCC & TrailofBits. I contacted Benedikt, who said he was very busy and also didn't feel like he was the best person for the job.
2. Neha Narula (MIT) for audit best practices. @Nerula replied that she's circulating it with her team to see who and what they might be able to help with
3. Mary Maller (University College London) to see if her work on zk-SNARKs would translate to helping audit Grin. She replied she's not a developer and does not feel she has the skillset for audits.
4. Andrew Miller (U of Illinois UC), Shailesh Bojja Venkatakrishnan (same univ), and Guilia Fanti (Carnegie Mellon) for Dandelion relay audit. Andrew replied he's jammed and recommended @EthanHeilman. I have not heard back from @gfanti or Shailesh despite multiple pings and so I assume they are not interested.
5. @EthanHeilman. He replied that he does like to do audits but no time these days.

I also contacted these companies: TrailofBits, Kudelski Security, NCC Group, Coinspect. The only two I have heard back from are NCC and Coinspect:

1. NCC. I was able to speak with them to talk about the work they've done and what our expectations are. They will be providing us a SOW (scope of work) with a time estimate and cost breakdown. They sent me various links of work they have done the past: notable projects are ZCash on CTs, Ripple, Google. They will back to me if they can take $ in crypto.
2. Coinspect. We've traded emails answering various questions. They sent me an estimate of ~320 hours @$250 ($80k) to do the entire code base + cryptolib. If we can prioritize or narrow the scope, it would be helpful. They do accept crypto.

Also, because this audit will likely cost a fair penny, I've been socializing it with investors to see if there's interest in donating. I think it would be a good example for investors, especially those in the crypto space, to donate to open-source projects which not only help their portfolio companies but protect their investments.

[Catheryne]

We need to figure out:

• How to engage the firm(s) for the master services agreement (contract), scope of work (SoW), and for invoicing (payment), particularly how to pay if they do NOT accept crypto. Because Grin does not have an entity / legal structure, these things are a bit of a challenge. I'm trying to reach the non-profit OSTIF to see if they can help with both.
• Fundraising for security audit. I have a few ideas that I'll propose at the next 10/23 governance meeting to see what the group thinks would work.

Update on audit firms:
I've added info and a few links from the work various firms have done to help in evaluating which firm(s) to choose. I don't have all the info/estimates from everyone yet and so I'll keep updating as I get info.

NCC

Do NOT take crypto. They also need an entity to work with.

• https://medium.com/ontologynetwork/ontology-uses-cryptography-experts-ncc-group-to-review-blockchain-infrastructure-bb1fca1d8887
• https://blog.z.cash/2018-zcash-security-audit-details/
• https://www.nccgroup.trust/us/our-research/zcash-cryptography-and-code-review/

Kudelski

DO take crypto but they add a 10% premium to their costs for all crypto payments. They seem quite busy at the moment and it takes multiple pings to get responses. Did audit of bulletproofs for Monero w/Quarkslab.

• https://ostif.org/the-quarkslab-and-kudelski-security-audits-of-monero-bulletproofs-are-complete/

Quarkslab

Estimate ~30 days @ $1650/day ($49.5k). Waiting to hear back on whether they accept crypto. Did audit of bulletproofs for Monero w/Kudelski.

• https://ostif.org/the-quarkslab-and-kudelski-security-audits-of-monero-bulletproofs-are-complete/
• https://blog.quarkslab.com/category/cryptography.html

x-41-dsec

They are scoping to provide an estimate. Do NOT accept crypto. They recommended working with OSTIF (https://ostif.org/) as an intermediary organization - I asked for an intro to OSTIF. Recently completed an audit of theQRL (Quantum Resistant Ledger):

• https://medium.com/the-quantum-resistant-ledger/x41-d-sec-audit-79d5243f0874

Also, update from a couple individuals:

• @bbuenz (Stanford) @cathieyun (Interstellar, formally Chain). I asked if they would be willing to help out on signatures and MMR in addition. They'd like to limit the scope to the implementation of Bulletproofs range proofs (using the libsecp library).

• Giulia is swamped and won't be able to help audit Dandelion, unfort.

• Shailesh not too familiar with the actual code itself for Dandelion so can't help.

[lehnberg]

Updated ticket to reflect updates above.

[ghost]

Hi guys, been following the project and donated a bit for the security audit a while back (0.00666500). I can ping Trail of Bits on your behalf. They were accepting crypto as recently as this summer. Not sure if policy has changed.

[Catheryne]

@anadesousa - sure, if you can ping Trail of Bits for an estimate to do the entire code base + crytolib implementations, that'd be great.

OSTIF (https://ostif.org/) will work as a 3rd party. They charge 10% of the total or $10k (whichever is lower) to facilitate the audit contract and cover wiring & exchange fees. They only have exchange accounts on Kraken & Bittrex and so the crypto for the audit will have to be deposited on one of the two. OSTIF says they also have 6 audit teams at their disposal and can ask each to bid on the project.

If the team can discuss preferences, that would be helpful for me to continue discussions with the various audit organizations:

1. Entity. Do we engage OSTIF, @yeastplume, or other entity.
2. Audit firm. Rank preferences on security audit company(s).

[ghost]

@Catheryne have an estimate from Trail of Bits @ $120K but I think there's room to negotiate. Can I put you in touch directly?

[lehnberg]

Also see here: https://mobile.twitter.com/CryptoAuditUK/status/1059723032145608704

[Catheryne]

@anadesousa can you please put me in contact w/Trail of Bits? I'm sending the reduced scope out for bid among all the audit firms. Thanks!

[Catheryne]

I have sent out the reduced scope for bid to all the above security audit companies. The deadline for submitting time and cost estimate bids is 5p Pacific 11/26/18. Work to begin ASAP.

[lehnberg]

Re: Trail of Bits, a contact from Ethereum Foundation reached out to Dan (CEO), who wrote:

"I have a small amount of spare capacity I can lend them. I'm planning to submit a proposal to them today. I hope it works out!"

So fingers crossed. 🤞

[Catheryne]

I received one responsive bid yesterday from Quarkslab. I have forwarded to @ignopeverell to take a look.

Trail of bits does not have time for a no-notice security review of a cryptographic product right now - their lead time is 2-3 months. NCC needed to get permission from their public report review board and I'm assuming that didn't happen. X41-dsec wrote back that the timeframe doesn't match their schedule. I did not hear back from Kudelski or LondonCrytoServices.

[eminogrande]

Hi, the aeternity team put quite some effort into a threat model and also published a full review. Both is published here https://github.com/aeternity/aetmodel maybe it helps you.

[quentinlesceller]

Fixed by mimblewimble/grin-security@85a03fd.