Ethereum 2.0 Security Audit by Least Authority Reveals Two Major Shortcomings
- The upcoming Ethereum 2.0 Audit report was recently released by Least Authority who had been tasked with this function.
- This firm looked into Ethereum’s 2.0 codebase and framework at the foundation’s request.
- Results from the audit highlighted that despite a good design, Ethereum 2.0 has two major shortcomings stemming from its Block proposer and P2P messaging systems.
The audit process began back in January and both entities have been working together to realize this review. According to the report by Least Authority, ETH 2.0 is infrastructure is comprehensive and well thought out. However, the firm could not be very conclusive given the limited applications of the Proof-of-Stake (PoS) consensus;
“It is one of the first Proof of Stake (PoS)/sharded protocol projects planned for production,” the report further reads, “The long-term stability of PoS blockchains is an area of active research that will need to be monitored over time as they are used in production.”
It is also noteworthy that the report found Ethereum’s P2P and ENR as underrepresented. This basically means that not enough documentation on these systems has been done as per phase 0 of Ethereum 2.0. The report goes on to suggest that the significance of these two functions makes it important to elaborate on them from the beginning.
Block Proposer Information Leak Threat
As mentioned earlier, this function poses a threat to ETH 2.0 prospective clients’ information. Ethereum’s transition from a Proof of Work (PoW) to Proof of Stake (PoS) network ultimately pushed the foundation to integrate a block proposer within its ecosystem. The main purpose of this feature is to pick the next block to go into the chain. This process, in turn, exposes the Ethereum network to possible information leaks.
The report proposes a Single Secret Leader Election (SSLE) approach in order to hide the selection mechanism;
“With the information leak patched, the block proposer remains as protected as it would be in PoW chains, but without the computational overhead,”
Ethereum’s 2.0 team agreed with this shortcoming and the proposed solution. They particularly noted that the active research in SSLE is something Ethereum 2.0 Devs are looking at in preparation for better versions of the coming phases.
Spam Messaging on Ethereum’s 2.0 P2P
Another major shortcoming is a spam problem with the scheduled Ethereum upgrade’s P2P messaging system. The report by Least Authority mentioned that lack of a central authority to check on the nodes’ activity could expose the network to dishonest participants. This means that one can spam the network with old messages at the cost of the most recent ones; they can do so without the fear of being heavily penalized. In addition, ETH 2.0 nodes can easily cause traffic on the network by sending out unlimited messages for slashing.
The security research team Least Authority recommended the integration of a BAR-resilient gossip protocol that can fully prevent malicious interactions with Ethereum 2.0. As it stands, this tech is being analyzed by Protocol Labs.