Livepeer Smart Contract Security Audit #1 Results
Prior to launching Livepeer on Ethereum’s MainNet network, we felt it important to conduct significant internal testing across multiple networks, complete a round of internal security audits, and work with an external 3rd party security firm to audit and do a security review of the Livepeer smart contracts. We worked with Trail of Bits (ToB) over the course of a couple weeks, and they recently completed their audit.
You can read the full Livepeer audit report by Trail of Bits here.
In summary, ToB dug deep into the inner workings of the Livepeer protocol and smart contracts. They covered many different areas using both automated tools, custom written tests, and manual inspection and debugging. The report that they produced included:
- 3 potential low severity issues
- 2 potential informational issues
- 0 medium or high severity issues
- 2 code maintainability recommendations.
After discussions and recap, Livepeer has produced a response to each of the reported issues, along with a few short term actions.
Read Livepeer’s detailed technical response here.
In light of the findings and response, Livepeer is in a better place to move forward with its upcoming network launch, knowing that the project has worked with talented external security researchers in an attempt to exploit the protocol. Zero of the reported issues are blockers for the upcoming alpha, but all are positive recommendations for future iteration. Livepeer will continue to engage external security partners going forward as it deploys significant upgrades to the network and iterates over time. For more details around the goals and execution of the audit process, read on.
Trail of Bits
After an extensive outreach and educational process around evaluating different potential security partners, Livepeer was excited to have selected Trail of Bits as its first external audit partner for the following reasons.
- They were an existing security firm of professionals which predated the recent boom of Ethereum and Solidity smart contract audits.
- They have a positive recent track record in the Ethereum, EVM, and blockchain world, having recently run audits for MakerDAO, Parity, and RSK.
- They have built and contributed open source tools to the security research world including Manticore and Echidna.
- Positive recommendations and reference checks.
- Significant track record of community engagement including research publications and security conference presentations.
- Professional and responsible communication, organization, management, and execution. The quote and work were on time and on budget.
Audit Goals
ToB understood that Livepeer would be rolling out gradually over time and iterating frequently. Since protocol upgrade and parameter upgrade mechanisms were built in, the goals of the audit were less about giving the current code base the full stamp of approval, and more about making sure the important mechanisms that enable upgrades, bug fixes, iteration, and protect user value were in place. The audit primarily was aimed to focus on three areas:
- Liveness — the Livepeer protocol progresses in rounds, and each round needs to be initialized in order for broadcast jobs to be sumitted and rewards to be earned. Can anything halt this process and “freeze” the protocol?
- Ownership — during the iterative period and gradual network rollout, the core team can update economic parameter values, fix bugs, and deploy smart contract upgrades. Are there any ownership vulnerabilities that allow a malicious actor to access these capabilities?
- Value — users stake tokens into Livepeer smart contracts in order to do work on the network. Can anything put this user value at risk such that it can get locked up or stolen?
ToB lead with a focus on these areas, but was also able to touch on many others including job and rounds management, bonding, deep dives into on chain data structures, and the earnings distribution functions.
See the full report for detailed findings. As Livepeer goes to mainnet and iterates on its protocol, look for opportunities to participate in security reviews through potential bug bounty and development bounty programs.
