On September 10th the Ethereum Cat Herders released our final report on the ProgPoW software audit. The audit’s findings and suggestions were shared with the Ethereum core developer community along with the noted project partners.
Final Audit Reports
Project Timeline
- July 17-August 14: Code review
- August 16: Delivery of Initial Audit Report
- August 17-September 6: Feedback and consultation period
- September 9: Delivery of Final Audit Report
Software Audit Findings
Based on our review of the ProgPow algorithm, we find that the code is accurate to its design and that it achieves its goals by more optimally utilizing GPUs than Ethash; however, we caution that future hardware advancements may potentially jeopardize this status.
Our investigation and analysis found that ProgPoW’s high-level design goals, summarized as “GPU-targeting and ASIC-resistant,” are reasonable towards achieving its intended economic effect. We found no major issues and the design appears to function as intended, to encourage mining from diverse participants, while preventing the concentration of mining influence. Ethash, the current PoW algorithm used by the Ethereum network, already contributes to placing ASICs at a disadvantage. However, ProgPoW goes further to make the energy used per hash less divergent between a GPU and a custom ASIC. As a result, in comparison to Ethash, we find that the ProgPoW algorithm provides better overall security against recentralization which is largely based on more optimal utilization of the overall features of a GPU. By preventing ASICs from out-performing GPUs, this encourages distribution of advantages in hardware development and therefore is a likely better defense against a 51% attack.
ProgPoW’s modified use of random math and parallelism, however, are approaches that have not yet been fully proven for the longer term, especially considering the fast advancements in the hardware industry. Some additional review time is suggested for specific areas of concern, though this must be balanced with the risks present at the time of investigation. Regardless of the length of any given review and analysis of ProgPoW, the possibility remains that the algorithm’s new approaches may be insufficient or become obsolete over time.
The separate hardware audit conducted by Bob Rao was done so independently from software audit, but as is mentioned in our report, our team had two conference calls with him.
Background
Ethereum Cat Herders, Ethereum Foundation, and Bitfly requested that Least Authority perform a security audit of ProgPow — a Programmatic Proof-of-Work (PoW) algorithm to replace Ethash — in order to verify the security of the algorithm and provide clear metrics about its performance.
This audit is part of the overall effort to examine ProgPow in order to achieve the following goals and expectations, as per the Ethereum Cat Herders:
- “The expected effects of ProgPoW on the security of Ethereum vis-a-vis: Security of the algorithm, attack surface, cost of 51% attack, and other security risks that may result from a change from Ethash to ProgPoW.
- ProgPoW meeting the goal of ASIC resistance: Known methods to speed up the calculation of the hash function, the length of time it would take to create a ProgPoW ASIC (if R&D begins immediately), and expected efficiency gains from the first generation of said ASICs.
- Identify any potential advantages or disadvantages that ProgPoW would present in comparison to Ethash in terms of changes to the network, “fair mining” and evaluate any potential uneven distribution.”
If you would like to get in touch regarding security audits or our process in particular, we can be reached at: contactus@leastauthority.com.
Learn more about our security consulting services and the projects we’ve worked on.
