Lighthouse External Security Assessment - Request for Proposal

Announcing a Request for Proposal (RfP) for an external security review of Lighthouse

Update 1: Extension of RfP responses submission by 10 days

Introduction

Sigma Prime Pty Ltd is a technical consultancy who specialise in information security and are mostly based out of Sydney, Australia.

The primary focus of Sigma Prime is to help secure distributed systems through in-depth security assessments of decentralised projects, while concurrently researching and developing core Blockchain infrastructure.

Sigma Prime is the founder and maintainer of the Lighthouse project, an open-source implementation of the Ethereum 2.0 specification, written in Rust. Lighthouse is one of the leading Ethereum 2.0 client implementations and has a particular focus on performance and security. This project has been funded since 2018 by several parties including the Ethereum Foundation, ConsenSys, and Vitalik Buterin.

Sigma Prime is initiating a Request for Proposal (RfP) for an External Security Review to assess the security posture of the Lighthouse software.

This article describes the Lighthouse project in detail, the scope of the security assessment, the deliverables expected, and a suggested timeline.

This post also provides guidelines on vendor selection criteria and indemnification structure, along with detailed bidding instructions.

Project Description

Lighthouse is a leading Ethereum 2.0 implementation developed using Rust, which prioritises speed and security. Through Lighthouse, Sigma Prime helps to realise a scalable and efficient Ethereum platform.

The Lighthouse project is comprised of several code bases, listed below:

  • The Lighthouse GitHub repository contains the vast majority of the code base, and can be found here.
  • The BLS signatures library, which leverages the Apache Milagro Crypto project, is maintained by Sigma Prime here.
  • Modular peer-to-peer network components, based on libp2p, have been customised by Sigma Prime on its own fork.

Some benchmarks of Lighthouse can also be found in the serenity-benches repository.

The current focus of the development team is to implement and optimise the Ethereum 2.0 specification, available here. Ethereum 2.0 is to be shipped in three distinct phases:

  • Phase 0 - Beacon Chain: Introduction of Casper FFG, the Proof-of-Stake consensus mechanism used by Ethereum 2.0.
  • Phase 1 - Shard Chains: Deployment of 1024 shard chains (focussing on data validity, consensus and construction on the shard chains data).
  • Phase 2 - Execution Environments: Introduction of state execution engines to allow for arbitrary smart contracts.

Security Assessment Scope

The scope of this security engagement includes the review of the following Lighthouse components:

  • Core Beacon Node logic:
    • State transition logic
    • Attestation processing and production
    • Block processing and production
    • Signature verification
    • Epoch finalisation and justification
    • Eth1 data processing
  • Core Validator Client logic:
    • Block/attestation signing
    • Slash-prevention mechanisms
  • Networking layer (leveraging the libp2p framework):
    • Discovery protocol (discv5)
    • Publish/Subscribe protocol (gossipsub)
    • Ethereum 2 Request/Response protocol
  • Restful HTTP API
  • Serialization & deserialization format
  • Client database (LevelDB) configuration
  • Accounts management & key storage
  • Client synchronization
  • Command Line Interface (CLI)

The assessment will focus on identifying vulnerabilities that can lead to the following (non-exhaustive list):

  • Denial-of-service conditions
  • Remote code execution
  • Data integrity loss
  • Underflows and overflows
  • Consensus splits
  • Operations pool halt
  • Unspecified/unexpected client behaviour

The selected vendor will be provided with specific Git commit hashes (one commit per relevant repository) at the start of the engagement, which will be the target of the assessment.

Deliverables

The chosen vendor shall provide a security assessment report, in a PDF format, comprised of the following sections:

  • Executive summary, including:
    • An overview of the testing performed (methodology and approach)
    • A statement describing the overall security posture of the Lighthouse client
    • A summary of the vulnerabilities identified, with their related severity
  • For each vulnerability identified, detailed information containing:
    • Vulnerability description:
      • Likelihood of exploitation
      • Impact qualification
      • Overall vulnerability severity
    • Recommended mitigative action:
      • Detailed actions to perform to mitigate the vulnerability
      • Recommendation complexity analysis
  • Appendix explaining the vulnerability severity classification model applied to the security review
  • Appendix listing the toolset (open source and proprietary) used during the engagement

After submitting the security assessment report, Sigma Prime will make any amendments required to the relevant codebases in order to mitigate the vulnerabilities identified throughout the security review. The vendor will then perform a retesting of the vulnerabilities to ensure that the fixes introduced effectively address the issues identified, and will amend the security assessment report accordingly (i.e. marking said vulnerabilities as resolved or acknowledged).

Indemnification & Fee Structure

The chosen vendor will be expected to submit three invoices:

  • A first invoice of 20% of the total engagement fee at the start of the engagement
  • A second invoice of 60% of the total engagement fee at the delivery of the security assessment report
  • A third and final invoice of 20% of the total engagement fee after the retesting activities are completed and the updated, final security assessment report is delivered

The vendor will be given the option to be paid via bank transfer or in the following crypto-currencies (or Digital Tokens):

  • Ether (ETH)
  • Dai (DAI)
  • Bitcoin (BTC)

The value of Digital Token described under the agreement will be the value of that Digital Token in Fiat Money at 9am AEST on the due date for payment as described at https://www.coinbase.com/price.

Selection Criteria

The vendor selected by Sigma Prime will have significant expertise in the areas necessary to meet the needs and requirements set forth in this RfP. Particularly:

  • Experience with reviewing software written in the Rust programming language;
  • Experience with reviewing large codebases;
  • Experience with advanced cryptographic primitives such as BLS signatures;
  • Experience with distributed systems and Blockchain technology.

Additional information, such as engagement team CVs and third party references, may be requested by Sigma Prime.

Engagement Timeline

This security assessment engagement is expected to be delivered following the timeline outlined below:

Item # Item Target timeline
1 Preliminary kick-off meeting with the Lighthouse development team Week 1
2 Start of the security assessment Week 2
3 Delivery of the first security assessment report Week 6
4 Retesting of actions taken to mitigate vulnerabilities raised Week 7
5 Delivery of the updated, final security assessment report Week 8

The expected start of this engagement is in Q4 2019.

Bidding Instructions

Upon reception of this Request for Proposal, vendors are expected to confirm receipt and intention to bid on the engagement.

Proposals must be returned by bidders before October 25th November 4th, 2019 9pm AEST.

Proposals must be sent in PDF format to the following email address: security@sigmaprime.io

This PGP key can be used to encrypt the proposal (optional).

Vendors can request more information via email (security@sigmaprime.io). Pre-bid meetings with vendors can also be arranged if required.

Conclusion

Sigma Prime is an information security consultancy who understands the importance of thorough technical security assessments.

We are looking for a sustainable relationship with a security reviewer who will be involved in the Lighthouse development process as often as necessary. With the launch of Ethereum 2.0 being spread between several phases, we expect the need for at least two additional security reviews targeting the Lighthouse codebase (Phase 1 & 2), along with the review of other auxiliary components (e.g. a web management interface).

Sigma Prime is happy to answer any questions bidders may have. Bidders should feel free to send any queries/questions to the following email address: security@sigmaprime.io.