Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security & Code audits #1609
This is a work in progress. Feedback / suggestions etc please provide in the comment field and I will update.
As per 2.2 of Sep 25 Governance meeting, it is desired that Grin is undergoes thorough audits by third parties that are external to the project. The functionality of the protocol and applied cryptography should be reviewed, as well as the actual code of the implementation. Both academic or publicly funded researchers and institutions should be invited to participate, as well as private contractors.
Status as of Oct 19 2018
Potential auditors and status
When is the code estimated to be available for audit?
Current wide range is 2 weeks (aggressive) to 3 months (with lots of time).
What is the deadline for audits to be completed?
What parts of the project should be audited?
Current thinking: At least entire repo + supporting secp256k1 libs. Potentially base the audit based off of a branch of T4.
Are there any particular aspects to focus on?
For example DDoS, consensus, hidden inflation, privacy leaks, etc.
What's the deliverable?
How should the auditors present their findings?
What's the work process?
Perhaps developers doing an initial brief to auditors and hosting Q&As / walkthroughs?
How is the effort funded?
Crowd-fund campaign? Auditors paid in crypto? We raise a lump-sum, or break down audits to granular level? etc.
These are the folks from various universities whom I have contacted to date, for what, and status/comments on each:
I also contacted these companies: TrailofBits, Kudelski Security, NCC Group, Coinspect. The only two I have heard back from are NCC and Coinspect:
Also, because this audit will likely cost a fair penny, I've been socializing it with investors to see if there's interest in donating. I think it would be a good example for investors, especially those in the crypto space, to donate to open-source projects which not only help their portfolio companies but protect their investments.
changed the title from
[WIP] Task: Security & Code audits
Security & Code audits
Oct 14, 2018
We need to figure out:
Update on audit firms:
Do NOT take crypto. They also need an entity to work with.
DO take crypto but they add a 10% premium to their costs for all crypto payments. They seem quite busy at the moment and it takes multiple pings to get responses. Did audit of bulletproofs for Monero w/Quarkslab.
Estimate ~30 days @ $1650/day ($49.5k). Waiting to hear back on whether they accept crypto. Did audit of bulletproofs for Monero w/Kudelski.
They are scoping to provide an estimate. Do NOT accept crypto. They recommended working with OSTIF (https://ostif.org/) as an intermediary organization - I asked for an intro to OSTIF. Recently completed an audit of theQRL (Quantum Resistant Ledger):
Also, update from a couple individuals: