Audits, Audits, Everywhere
Everything You Need to Know About Application Security and the Cosmos Network
As part of the journey towards mainnet launch, the Interchain Foundation and Tendermint team have been intently focused on developing safe, resilient blockchain code. One of the most important ways we have worked towards this goal is by engaging a variety of talented, world-class security auditors to examine various aspects of our software. Independent security audits are a vital part of a healthy application security program, and by having a fresh set of eyes take a look at our work, we are able to gauge how well our security efforts are working. From planning out an intensive audit cycle to running an active bug bounty program, here is how we have invested in the long-term security of the Cosmos network on our way to launch.
Completed Audits
Audit 1. In 2017, Tendermint went through one of its first assessments with the team at Jepsen. This evaluation of Tendermint did not involve any dedicated code review, but instead comprised a series of rigorous tests focused primarily on how the software performed in the face of Byzantine faults and severe network partitions. Throughout the engagement, the Jepsen test suite was unable to violate Tendermint’s distributed liveness and safety guarantees, though it did expose a few issues: a single node data corruption, a fatal crash in WAL recovery, and data loss in WAL. The full report, including testing methodology, can be found here.
Audit 2. In March 2018, Tendermint kicked off a 13 day audit lead by a world renowned researcher in offensive cryptography and blockchain technology. This audit specifically assessed the cryptography layer of Tendermint and its libraries, with ABCI, go-wire (now go-amino), go-crypto, tmlibs, IAVL, and the IAVL tree implementation in scope.
This assessment surfaced 14 issues total, with 13 of those issues being low severity and 1 medium severity. To date, we’ve remediated all issues. We are working to publish an executive summary of the findings from the engagement to share with the wider community, and we will update this post as soon as it becomes available.
Audit 3. In May 2018, we kicked off a 20-day long assessment with 2 engineers and a dedicated project manager from an application security firm that focused on the server security, user interfaces, and network interoperability within our source code. The scope included Tendermint, CosmosSDK, Cosmos Voyager, abci, go-wire-master, IAVL, and tmlibs.
In total, the final report for this audit listed 15 issues, with 3 high severity, 4 medium severity, and 8 low severity that have all been remediated. We are working to publish an executive summary of this engagement, and we will update this post as soon as it becomes available.
Audit 4. In January 2019, we kicked off 2.5 week long audit with two engineers and a dedicated project manager from Least Authority, a firm with significant experience in crypto protocols and open source software. This assessment focused on the cryptoeconomic incentive structure of the CosmosSDK, marked the second time that an auditor reviewed the SDK source code.
No issues were identified during the course of the assessment, however, we made one minor code change to Tendermint to address an informational finding. To learn more about this audit, read the full report and the executive summary from Least Authority.
Audits in Progress
In early February 2019, we kicked off an engagement with Trail of Bits that coincides with a code freeze that is in place in preparation for mainnet launch. This is the largest, longest scope for an audit that we have done so far, and our auditors are evaluating the most complete and final version of our source code to date.
Once the audit is finished and we’ve fully remediated issues that surfaced during the assessment, we will update this post to include an executive summary and a final audit report.
Future Audits
To wrap up our 2019 assessment cycle, we’ve lined up one more engagement with a notable security firm that will kick off in early March 2019. This audit will cover the CosmosSDK, and will be an integral part of transitioning our KMS and Voyager out of alpha state and into production readiness. We will publish an executive summary of the engagement after we have remediated any findings from the final audit report.
Ongoing Investments in Security
In addition to providing support for the series of security audits focused on Tendermint and the Cosmos SDK, the Interchain Foundation has funded the Tendermint bug bounty program since it launched in April 2018. While bug bounty programs are less effective than regular, systematic application security assessments, some of our early audit results and bug bounty reports have yielded bug collisions that prove we have the right eyes (and minds) focused on our code.
To date, the bug bounty program has surfaced numerous valuable bugs and paid out $38,400 to date to reward hackers, researchers, and members of our community who have found and reported security issues to us. Additionally, our bug bounty program is one of the earliest programs to offer a Safe Harbor to security researchers who participate in it. We committed to doing this work out of respect for external researchers, and are dedicated to respecting the legal rights of those who work with us to improve the safety and security of our code.
In the blockchain space, finding the right set of auditors and security services providers is a challenge: we’re building entirely new infrastructure and technology from the ground up, and securing it requires a holistic approach that does more than find bugs in code. We are extremely lucky to have the opportunity to work with some of the best auditors in the world who are at the cutting edge of offensive cryptography, blockchain technology, and cryptoeconomic incentive analysis.
At this point in our audit cycle, no critical security issues have been identified in our code. If you think you’ve found a critical security issue, visit tendermint.com/security for more information on how to report a security bug, or drop us a line at security@tendermint.com.
As mainnet launch approaches, we would like to thank and acknowledge ahook, Hendrik Hofstadt of CertusOne, yutian, xinqian, blackpainter, haoyangliu, bharvest-hyung, guido, yunjh1994, chengwenxi, Max Veytsman, Emmaneul Odeke of Orijitech, Amit Elazari Bar On and #LegalBugBounty, and the many, many others whose knowledge and experience have positively impacted our security program. Thank you!
