Phase 0 bounty offers $10k to researchers who can break the chain
The Ethereum 2.0 bug bounty program is in full force, as developers prepare to roll out the biggest upgrade of the blockchain platform since its launch five years ago.
The bug bounty program covers the pre-launch of the first of three phases of the Ethereum 2.0 upgrade: ‘Phase 0: Beacon Chain’; ‘Phase 1: Shard Chains’; and ‘Phase 2: Execution Environments’.
Security researchers are being encouraged to find bugs in the core Eth2 Phase 0 specification before the mainnet launch, which is scheduled for some time later in April.
Cryptocurrency blockchains are usually developed on testnets before launching an official main network.
Ethereum 2.0 bug bounty hunters can receive rewards ranging from $500 for small defects up to $10,000 for bugs that can break the chain.
Rewards can be received in ETH, the official Ethereum cryptocurrency, or the stablecoin DAI. (Stablecoins are pegged against a fiat currency and are not subject to the price volatilities of mainstream cryptocurrencies.)
Ethereum Foundation researchers are not eligible to participate in the bug bounty, but developers of the Eth2 client can participate under higher scrutiny conditions.
One thing to note is that the testing is being done against the Eth2 specifications, as opposed to evaluating the actual implementation of the code.
The Ethereum Foundation has already doled out $13,000 in rewards to three vulnerability disclosures, including a critical overflow bug.
After the Phase 0 mainnet launches, the Ethereum 2.0 bounty program will be transferred to the standard Ethereum Bounty Program.
“We have a solid and well-tested spec, and we have a number of incredible teams building it out,” Ethereum 2.0 project lead Danny Ryan told The Daily Swig.
“As with any new production system, we prepare for unknowns, but at the same time we do expect things to go well with the launch of eth2.”
The bug bounty program comes on the heels of a thorough audit of the Phase 0 specification by Least Authority.
“When reviewing a specification as opposed to code that has already been implemented, certain assumptions are made about the kinds of vulnerabilities that might be present in an implementation,” Hind Kurhan, senior program manager at Least Authority, told The Daily Swig.
“However, our threat models and possible scenarios are not exhaustive, and we always recommend to our clients that coded implementations, in addition to specification review, be audited as a security best practice.”
Overall, the Least Authority team found the Eth2 specifications to be well thought out and comprehensive. “It is clear that security was strongly considered by the Ethereum 2.0 team during the design phase,” they wrote in March.
Ethereum security: DoS and information leakage issues resolved
In their review, the Least Authority team found two main issues: a denial-of-service (DoS) vector in the P2P networking system, and a potential information leak in the block proposer system.
“During our engagement, the Ethereum 2.0 team implemented changes to the specification and responded to our issues following the delivery of our initial audit report,” Kurhan said, adding that is not uncommon for projects to re-engage during later phases of design and development and do a follow-up review.
“We would welcome the opportunity to engage with the Ethereum 2.0 team to review further progress for security issues.”
The biggest change in Ethereum will be a transition from the ‘proof of work’ consensus model to ‘proof of stake’.
PoW, used in Ethereum 1.0 and Bitcoin, consists of a network of ‘miners’ competing to solve mathematical equations and validating new transaction blocks.
The computational resources required to solve the mining problems raise the costs of staging DoS attacks against the network. PoS, on the other hand, gives nodes voting rights on new blocks based on the number of coins they have.
The general assumption is that parties who have more of the cryptocurrency have a higher stake in maintaining the network online and keeping it free of fraudulent activity.
Proof-of-stake has been widely discussed in the blockchain community and there are already several cryptocurrencies that use PoS.
But Ethereum 2.0 will be the first large-scale implementation of PoS, which itself might portend unpredictable challenges for the long-term stability and security of the network.