We would like to announce a Request for Proposals (RfP) for a security review of ethdo.
ethdo is a tool to carry out common operations on Eth2, including creating wallets and accounts, generating data for deposits, and sending exit transactions.
The github commit of the code for audit is b6bb1ba46b34e3732c2fc149333682647bb3c817, also marked with the tag v1.5.8.
As ethdo has a broad range of functionality, it is important to define the scope of the audit. The areas, specific functions and their place in or out of scope of the audit are provided below.
These functions cover wallet creation, import and export, display, etc. The specific functions are:
wallet accounts: IN SCOPE due to accessing files according to the EIP-2386 and EIP-2680 standardswallet create: IN SCOPE due to creating files according to the EIP-2386 and EIP-2680 standardswallet delete: IN SCOPE due to accessing files according to the EIP-2680 standardwallet export: IN SCOPE due to creating data that should be cryptographically secure and suitable for importwallet import: IN SCOPE due to importing data from wallet exportwallet info: IN SCOPE due to accessing files according to the EIP-2386 and EIP-2680 standardswallet list: IN SCOPE due to accessing files according to the EIP-2386 and EIP-2680 standardsThese functions cover account creation, import, display, etc. The specific functions are:
account create: IN SCOPE due to creating files according to the EIP-2335 and EIP-2680 standardsaccount import: IN SCOPE due to creating files according to the EIP-2335 and EIP-2680 standardsaccount info: IN SCOPE due to accessing files according to the EIP-2335 and EIP-2680 standardsaccount key: IN SCOPE due to displaying cryptographic dataaccount lock: OUT OF SCOPE due to being only being used with remote signersaccount unlock: OUT OF SCOPE only being used with remote signersThese functions cover creation and verification of signatures. The specific functions are:
signature aggregate: IN SCOPE due to carrying out cryptographic operationssignature sign: IN SCOPE due to carrying out cryptographic operationssignature verify: IN SCOPE due to carrying out cryptographic operationsThese functions cover creation, monitoring and operations for validators. The specific functions are:
validator depositdata: IN SCOPE due to carrying out cryptographic and hashing operations that are required to meet the Ethereum 2 phase 0 specificationvalidator exit: IN SCOPE due to carrying out cryptographic operations that are required to meet the Ethereum 2 phase 0 specificationvalidator info: OUT OF SCOPE due to being purely informational, non-critical, and likely to change with the standardised APIThese functions cover validation of deposit data. The specific functions are:
deposit verify: IN SCOPE due to carrying out verification of cryptographic and hashing operations that are required to meet the Ethereum 2 phase 0 specificationThese functions cover validation of exit operations. The specific functions are:
exit verify: IN SCOPE due to carrying out verification of cryptographic and hashing operations that are required to meet the Ethereum 2 phase 0 specificationThese functions cover fetching and displaying information from an active beacon node. Due to the lack of a standard API at time of writing, they only support the prysm beacon node. The specific functions are:
block info: OUT OF SCOPE due to being purely informational, non-critical, and likely to change with the standardised APIchain info: OUT OF SCOPE due to being purely informational, non-critical, and likely to change with the standardised APIchain status: OUT OF SCOPE due to being purely informational, non-critical, and likely to change with the standardised APInode status: OUT OF SCOPE due to being purely informational, non-critical, and likely to change with the standardised APIethdo allows multiple backend stores of encrypted information. These are as follows:
filesystem: IN SCOPE due to being a commonly-used method to access wallets and accounts.s3: OUT OF SCOPE due to being unused to access wallets and accounts by validator clients.remote: IN SCOPE due to being a commonly-used method to access wallets and accounts.Much of the work in ethdo, especially the cryptograhpic work, is carried out by other go modules. The following modules are IN SCOPE for the audit:
In addition to the above modules, many EIPs define standards that ethdo implements. Adherence to these standards where applicable is in scope:
It is expected that the audit will provide full coverage of the features mentioned above, however the following areas are highlighted as particular areas of concern or sensitivity.
All random number generation (HD seeds, ND private keys) is an obvious area to examine.
Creation of hierarchical deterministic accounts from a well-known seed should be checked against relevant test vectors.
All situations where keys are sensitive data (private keys, HD seeds) are encrypted should be considered.
The generation of deposit data is an important part of the Ethereum 2 deposit process. Adherence to the specification regarding generation of each individual component of the deposit is critical.
The entire process can be summarised as follows:
The proposed timeline of the engagement is approximately 1 month.
The engagement is broken up into the following stages: a vendor assessment, followed by a break for developer response and mitigation, followed by a review phase from the vendor.
The vendor will then summarize findings and publish the results to help the community understand the work that was done.
| Stage | Description |
|---|---|
| 1 | Vendor assessment period |
| 2 | Developer issue response |
| 3 | Vendor review issue response |
| 4 | Vendor summarises findings |
Members of the EF and ethdo contributors will be available at all times to answer questions and comments during the assessment period in order to make life as easy as possible for the vendor.
Deliverable will take the form of Github issues in the relevant Github repository for every security concern found.
As outlined above, the vendor will provide a report distilling the lessons learnt, and summarising the issues submitted.
Based on the timeline of this audit, the chosen vendor will be expected to submit 2 invoices:
The vendor will be given the option to be paid in Fiat money (via bank transfer) or ETH.
If the vendor chooses to be paid in ETH, the value of ETH described under the agreement will be the value in USD at NYSE closing time (4 PM EST) on the day prior to the due date (as described at https://www.coingecko.com).
The selected vendor will have significant expertise in the areas necessary to meet the needs and requirements set forth in this RfP. Particularly:
Experience with the Go programming language
High level familiarity with cryptographic signature schemes
Familiarity with cryptocurrency key management and wallets
The EF and ethdo maintainers have considerable expertise in these domains and is ready to support the vendor.
Upon reception of this request, interested vendors are expected to confirm receipt and intention to bid on the engagement.
In this confirmation, they should explain what they need from us in order to get started. As well as bring attention to areas in which they feel they do not have significant expertise. We will use this information to try to provide appropriate entrance material for the engagement.
Proposals must be submitted before September 7th, 12 PM EST. We expect to take 1 week to deliberate and respond.
Please send initial confirmations, and proposals (in PDF format) to the following address: rfp@ethereum.org
Feel free to send us any questions you may have: rfp@ethereum.org