Request for Proposal: Prysm External Security Assessment
Thank you to our friends at Sigma Prime for allowing us to use their RFP structure and much of the content in this document. We owe you guys a round of beers! 🍺
Introduction
Prysmatic Labs is an independent team of blockchain engineers with a strong background and passion for scaling distributed systems. Founded in 2018, Prysmatic Labs has been one of the leading implementation teams in Ethereum 2.0 client development.
As Ethereum 2.0 nears a main network launch later this year, Prysmatic Labs is seeking an external security review to assess the security of its open source client software, Prysm.
Project Description
The Prysm project is a Go implementation of the Ethereum Serenity protocol as detailed in the official specification. It contains a full beacon node implementation as well as a validator client for participating in blockchain consensus. Prysm utilizes best-in-class tools for production servers and interprocess communication, using Google’s gRPC library, BoltDB as an optimized, persistent, key-value store, and libp2p by Protocol Labs for all peer-to-peer networking.
Prysm’s code base is contained in a github repository using a mono-repo style to host most of the first party source code with some first party code written into standalone repositories and many external third party libraries. Prysm uses a build tool called Bazel, similar to Make, which is used to compile Prysm binaries and their dependencies.
Security Assessment Scope
The scope of this security engagement includes the review of the following Prysm components:
Core Beacon Node logic
- State transition logic
- Fork choice logic
- Attestation processing and production
- Block processing and production
- Signature verification
- Epoch finalization and justification
- Eth1 data processing
- Caching logic
Core Validator Client logic
- Block/attestation signing
- Slashing prevention mechanisms
Networking Layer (leveraging the libp2p framework)
- Discovery protocol (discv5)
- Publish/subscribe protocol (gossipsub)
- Ethereum 2.0 Request/response protocol
gRPC API
- Including requests via gRPC transcoding (grpc gateway)
Serialization & deserialization
- SSZ
- HashTreeRoot
Client database (boltDB) configuration
Accounts management & key storage
Client synchronization
- Initial sync from genesis
- Resync
- Regular sync
Command line interface
Core slasher logic
- Data storage
- Slashing detection logic (attestation processing & block processing)
- Slashing protection logic
The assessment will focus on identifying vulnerabilities that can lead to the following (non-exhaustive list):
Denial-of-service conditions
Remote code execution
Data integrity loss
Underflows and overflows
Consensus splits
Operations pool halt
Unspecified/unexpected client behaviour
Prysmatic Labs is particularly interested in assessing:
Operational threats
- Docker deployment
- ./prysm.sh start script
Potential security pitfalls in client side interaction and configuration
Data flows
- Data to/from external sources
- Data to/from internal sources
Control flow integrity
Potential current exploitable active vulnerabilities
Potential security gaps in user interaction
Security assumptions, potential future weaknesses in design and implementation
Strength of existing security controls and potential improvements that could be made
A high-level security review of Prysm dependencies
The selected vendor will be provided with a specific Git commit hash for Prysm at the start of the engagement, which will be the target of the assessment.
Deliverables
The chosen vendor shall provide a security assessment report, in a PDF format, comprised of the following sections:
Executive summary, including
- An overview of the testing performed (methodology and approach).
- A statement describing the overall security posture of the Prysm software.
- A summary of the vulnerabilities identified, with their related severity.
For each vulnerability, detailed information containing:
Vulnerability description
- Likelihood of exploitation
- Impact qualification
- Overall vulnerability severity
Recommended mitigative action
- Detailed actions to perform to mitigate the vulnerability.
- Recommendation complexity analysis
- Reproducible/automatable verification of mitigation, where applicable
Appendix explaining the vulnerability severity classification model applied to the security review.
Appendix listing the toolset (open source and proprietary) used during the engagement.
After submitting the security assessment report, Prysmatic Labs will make any amendments required to the relevant codebases in order to mitigate the vulnerabilities identified throughout the security review. The vendor will then perform a retesting of the vulnerabilities to ensure that the fixes introduced effectively address the issues identified, and will amend the security assessment report accordingly (i.e. marking said vulnerabilities as resolved or acknowledged).
Indemnification & Fee Structure
The chosen vendor will be expected to submit three invoices:
- A first invoice of 20% of the total engagement fee at the start of the engagement.
- A second invoice of 60% of the total engagement fee at the delivery of the security assessment report.
- A third and final invoice of 20% of the total engagement fee after the retesting activities are completed and the updated, final security assessment report is delivered.
The vendor will be given the option to be paid via bank/wire transfer or in the following cryptocurrencies.
- Ether (ETH)
- Dai (DAI)
- USDC (USDC)
Ether will be valued in Fiat Money at 6pm UTC on the due date for payment as described at https://www.coinbase.com/price. USD based stable coins will be valued at $1.00 per token.
Selection Criteria
The vendor selected by Prysmatic Labs will have significant expertise in the areas necessary to meet the needs and requirements set forth in this Request. Particularly:
- Experience with reviewing software written in the Go programming language;
- Experience with reviewing large codebases;
- Experience with advanced cryptographic primitives such as BLS signatures;
- Experience with distributed systems and Blockchain technology.
Additional information, such as engagement team CVs and third party references, may be requested by Prysmatic Labs.
Engagement Timeline
This security assessment engagement is expected to be delivered following the timeline outlined below:
Week 1
- Preliminary kick-off meeting with the Prysm development team
- Start of the security assessment
Week 4
- Delivery of the first security assessment report
- Prysmatic Labs begins remediation
1 Week After Remediation is Complete
- Retesting of actions taken to mitigate raised
2 Weeks After Remediation is Complete
- Delivery of the updated, final security assessment report
The expected start of this engagement is in Q2 2020.
2020/04/07: The timeline was updated to reflect an unknown remediation period rather than a rigid 1 week timeline.
Bidding Instructions
Upon reception of this Request for Proposal, vendors are expected to confirm receipt and intention to bid on this engagement.
Proposals must be returned by April 17, 2020 00:00 UTC.
Proposals must be sent in PDF format to the following email address: security@prysmaticlabs.com. The proposal may be encrypted using the public keys listed in Prysmatic Labs’ security.txt.
Vendors can request more information via email (security@prysmaticlabs.com). Pre-bid meetings with vendors are welcomed, if necessary.
Conclusion
Prysmatic Labs is a software development company and we understand the importance of security in mission critical software. We are looking for a sustainable relationship with a security reviewer who will be involved in the Prysm development process as often as necessary. With the launch of Ethereum 2.0 being spread between several phases, we expect the need for at least two additional security reviews targeting the Prysm codebase (Phase 1 & 2), along with the review of other auxiliary components.
Prysmatic Labs is happy to answer any questions bidders may have. Bidders should feel free to send any queries/questions to the following email address: security@prysmaticlabs.com.