Internet security consultancy Deja vu Security provided security assessment of Ethereum before its “Frontier” release.
Ethereum apparently awarded Deja vu Security a contract as the Seattle-based company specializes in custom-made products that provide an end-to-end security assessment and has expertise in blockchain technology.
The security assessment consisted of various reviews, including a design review, a solutions review, reviews of a protocol and a quasi-Turing-complete virtual machine of the clients.
According to Deja vu, the design reviews focused on the quasi-Turing-complete virtual machine of the clients, wire protocols, integrity of processing a blockchain, integrity of transaction processing, client implementation, and crypto-analysis.
The solution review focused on the end-to-end process, with attention given to the blockchain, transactions, contracts and their internal state. The solution review also looked inside the implementation for incorrect usage of cryptographic primitives, including hashing, key strength, algorithm choices, timing attacks, padding, and more.
The protocol, peer-to-peer service and network review examined for susceptibility to vulnerabilities, including attacks such as Denial of Service, and the compromise and degradation of the Ethereum network.
A review of the Go code focused on issues, realized or potential, with data structures in the application and system, variables and pointers, threading, and network communication infrastructure.
The data items, protocols, scripting language, and Go client were fuzz tested using Peach Fuzzer. The fuzzing system apparently operates on any data consumer: applications, protocols, and entire systems, including SCADA systems.
Deja vu stated:
Issues and risks were reported with weekly status reports, as well as a formal report bucketing the issues, identifying associated risks, recommending mitigation actions, and identifying the issues needing to be fixed before releasing the software. One issue involved a serialization parser in the Go client. Peach provided the
details to identify and correct the issue. A formal final report with sign-off was issued, signifying acceptance of the deliverables and moving to a successful close of the project.
Although the project findings meant additional work and schedule adjustments, the results were worth the effort. The platform is solid. Many development projects are using the Ethereum platform. The Ethereum platform is a productivity tool, offering shorter development times than a project with no platform. The Ethereum
platform is robust and versatile. Its extensibility promises applications in other markets.
Jeffrey Wilcke, Ethereum Director and Chief of the Mist and Go client projects, stated that the experience of Deja vu Security in finding security issues and in having proper processes in place was invaluable.
It was like staring blindly at a piece of code, then having someone come up and immediately identify the issue. We were able to resolve severe issues only with your help for which we are incredibly grateful.