Announcing a Request for Proposal (RfP) for an external security review of Lighthouse
Update 1: Extension of RfP responses submission by 10 days
Sigma Prime Pty Ltd is a technical consultancy who specialise in information security and are mostly based out of Sydney, Australia.
The primary focus of Sigma Prime is to help secure distributed systems through in-depth security assessments of decentralised projects, while concurrently researching and developing core Blockchain infrastructure.
Sigma Prime is the founder and maintainer of the Lighthouse project, an open-source implementation of the Ethereum 2.0 specification, written in Rust. Lighthouse is one of the leading Ethereum 2.0 client implementations and has a particular focus on performance and security. This project has been funded since 2018 by several parties including the Ethereum Foundation, ConsenSys, and Vitalik Buterin.
Sigma Prime is initiating a Request for Proposal (RfP) for an External Security Review to assess the security posture of the Lighthouse software.
This article describes the Lighthouse project in detail, the scope of the security assessment, the deliverables expected, and a suggested timeline.
This post also provides guidelines on vendor selection criteria and indemnification structure, along with detailed bidding instructions.
Lighthouse is a leading Ethereum 2.0 implementation developed using Rust, which prioritises speed and security. Through Lighthouse, Sigma Prime helps to realise a scalable and efficient Ethereum platform.
The Lighthouse project is comprised of several code bases, listed below:
- The Lighthouse GitHub repository contains the vast majority of the code base, and can be found here.
- The BLS signatures library, which leverages the Apache Milagro Crypto project, is maintained by Sigma Prime here.
- Modular peer-to-peer network components, based on
libp2p, have been customised by Sigma Prime on its own fork.
Some benchmarks of Lighthouse can also be found in the
The current focus of the development team is to implement and optimise the Ethereum 2.0 specification, available here. Ethereum 2.0 is to be shipped in three distinct phases:
- Phase 0 - Beacon Chain: Introduction of Casper FFG, the Proof-of-Stake consensus mechanism used by Ethereum 2.0.
- Phase 1 - Shard Chains: Deployment of 1024 shard chains (focussing on data validity, consensus and construction on the shard chains data).
- Phase 2 - Execution Environments: Introduction of state execution engines to allow for arbitrary smart contracts.
Security Assessment Scope
The scope of this security engagement includes the review of the following Lighthouse components:
- Core Beacon Node logic:
- State transition logic
- Attestation processing and production
- Block processing and production
- Signature verification
- Epoch finalisation and justification
- Eth1 data processing
- Core Validator Client logic:
- Block/attestation signing
- Slash-prevention mechanisms
- Networking layer (leveraging the libp2p framework):
- Discovery protocol (discv5)
- Publish/Subscribe protocol (gossipsub)
- Ethereum 2 Request/Response protocol
- Restful HTTP API
- Serialization & deserialization format
- Client database (LevelDB) configuration
- Accounts management & key storage
- Client synchronization
- Command Line Interface (CLI)
The assessment will focus on identifying vulnerabilities that can lead to the following (non-exhaustive list):
- Denial-of-service conditions
- Remote code execution
- Data integrity loss
- Underflows and overflows
- Consensus splits
- Operations pool halt
- Unspecified/unexpected client behaviour
The selected vendor will be provided with specific Git commit hashes (one commit per relevant repository) at the start of the engagement, which will be the target of the assessment.
The chosen vendor shall provide a security assessment report, in a PDF format, comprised of the following sections:
- Executive summary, including:
- An overview of the testing performed (methodology and approach)
- A statement describing the overall security posture of the Lighthouse client
- A summary of the vulnerabilities identified, with their related severity
- For each vulnerability identified, detailed information containing:
- Vulnerability description:
- Likelihood of exploitation
- Impact qualification
- Overall vulnerability severity
- Recommended mitigative action:
- Detailed actions to perform to mitigate the vulnerability
- Recommendation complexity analysis
- Vulnerability description:
- Appendix explaining the vulnerability severity classification model applied to the security review
- Appendix listing the toolset (open source and proprietary) used during the engagement
After submitting the security assessment report, Sigma Prime will make any amendments required to the relevant codebases in order to mitigate the vulnerabilities identified throughout the security review. The vendor will then perform a retesting of the vulnerabilities to ensure that the fixes introduced effectively address the issues identified, and will amend the security assessment report accordingly (i.e. marking said vulnerabilities as resolved or acknowledged).
Indemnification & Fee Structure
The chosen vendor will be expected to submit three invoices:
- A first invoice of 20% of the total engagement fee at the start of the engagement
- A second invoice of 60% of the total engagement fee at the delivery of the security assessment report
- A third and final invoice of 20% of the total engagement fee after the retesting activities are completed and the updated, final security assessment report is delivered
The vendor will be given the option to be paid via bank transfer or in the following crypto-currencies (or Digital Tokens):
- Ether (ETH)
- Dai (DAI)
- Bitcoin (BTC)
The value of Digital Token described under the agreement will be the value of that Digital Token in Fiat Money at 9am AEST on the due date for payment as described at https://www.coinbase.com/price.
The vendor selected by Sigma Prime will have significant expertise in the areas necessary to meet the needs and requirements set forth in this RfP. Particularly:
- Experience with reviewing software written in the Rust programming language;
- Experience with reviewing large codebases;
- Experience with advanced cryptographic primitives such as BLS signatures;
- Experience with distributed systems and Blockchain technology.
Additional information, such as engagement team CVs and third party references, may be requested by Sigma Prime.
This security assessment engagement is expected to be delivered following the timeline outlined below:
|Item #||Item||Target timeline|
|1||Preliminary kick-off meeting with the Lighthouse development team||Week 1|
|2||Start of the security assessment||Week 2|
|3||Delivery of the first security assessment report||Week 6|
|4||Retesting of actions taken to mitigate vulnerabilities raised||Week 7|
|5||Delivery of the updated, final security assessment report||Week 8|
The expected start of this engagement is in Q4 2019.
Upon reception of this Request for Proposal, vendors are expected to confirm receipt and intention to bid on the engagement.
Proposals must be returned by bidders before
October 25th November 4th, 2019 9pm AEST.
Proposals must be sent in PDF format to the following email address: email@example.com
This PGP key can be used to encrypt the proposal (optional).
Vendors can request more information via email (firstname.lastname@example.org). Pre-bid meetings with vendors can also be arranged if required.
Sigma Prime is an information security consultancy who understands the importance of thorough technical security assessments.
We are looking for a sustainable relationship with a security reviewer who will be involved in the Lighthouse development process as often as necessary. With the launch of Ethereum 2.0 being spread between several phases, we expect the need for at least two additional security reviews targeting the Lighthouse codebase (Phase 1 & 2), along with the review of other auxiliary components (e.g. a web management interface).
Sigma Prime is happy to answer any questions bidders may have. Bidders should feel free to send any queries/questions to the following email address: email@example.com.