"Internet Computer Consensus: Security Assessment" by Trail of Bits (third-party security audit #2)

Summary

Trail of Bits (Trail of Bits | About), is a highly-rated cybersecurity research and consulting firm which has done security audits of dozens of blockchains. In November 2021, Trail of Bits and the DFIITY Foundation worked together to audit the design and implementation of Consensus. Please note: two high-severity issues were found and have fixed as detailed in the report (page 4).

This is the second time that a third party security audit of the IC has occurred. A previous one was posted on January 4, 2022.. The last time there was an audit, it covered every layer of the IC stack, while this audit was hyper focused on Consensus.

The outcome of this collaboration is detailed in the 28-page report below:

Security Assessment of IC Consensus: publications/DFINITYConsensus.pdf at master · trailofbits/publications · GitHub

As last time, we are very grateful and impressed with the work by Trail of Bits. We have been very impressed with their diligence.

Discussion leads

The person at DFINITY who was most involved and can best answer questions is @robin-kunzler of the DFINITY Crypto team.

Best way to read this report

  • For those with limited time, I recommend reading the Executive Summary (page 2- 3) or the color-coded Code Maturity Evaluation (page 5) which give the reader a high-level view of the issue.
  • For those interested in understanding the issues, the report shows the associated Rust code.

Areas of the code which were audited:

This audit focused on Consensus protocols of the IC.

Industry Background

16 Likes

Is there a list somewhere of other blockchains they have worked with and their record?… or is that privileged information?

2 Likes

This may have what you are looking for:

GitHub - trailofbits/publications: Publications from Trail of Bits (Scroll to security reviews)

4 Likes

:blush: thanks haha, I should have looked at link closer.

1 Like