Authored by Colin Schwarz
Lodestar Initial Audit Passes with Flying Colours
ChainSafe is excited to announce that Lodestar has recently passed an audit of several critical components of our tooling libraries.
Lodestar is ChainSafe's Eth2.0 client being built in Typescript. Lodestar provides highly accessible tooling libraries that benefit the entire Eth2.0 ecosystem. All of our libraries are written in idiomatic Typescript, making them accessible to a broad swath of developers.
This initial audit was performed on the following repositories:
@chainsafe/persistent-merkle-tree - binary merkle tree as a persistent-data-structure
@chainsafe/bls-hd-key - BLS key derivation (EIP-2333 & EIP-2334)
@chainsafe/bls-keygen - high-level interface for BLS key derivation
@chainsafe/bls-keystore — BLS key storage (EIP-2335)
@chainsafe/lodestar-types — typescript and SSZ typings for Eth2 consensus objects
@chainsafe/lodestar-utils - misc. functionality used throughout lodestar
@chainsafe/lodestar-config - Eth2 network configuration (parameters & types)
The audit will enable the Ethereum community to use these tools with more confidence, which will be invaluable as we continue to push forward the production of Eth2.0. The functionality of the audited BLS libraries allow for the creation of new validator keys and the ability to store them to disk. The persistent-merkle-tree library is used in our SSZ implementation and important for Eth2.0 proof generation and our on-going work on light clients.
After the initial audit was received, the Lodestar team went back to the code and fixed the minor bugs and vulnerabilities reported by Least Authority. The updated code then underwent a final audit which passed with flying colours.
The general comments of the audit state:
We found the packages that were reviewed for this audit to be of exceptional quality. The codebase is logically structured, easy to trace, and comprehensible. This made it a pleasure to evaluate the software for security issues. We also found test coverage to be fair - covering most of the critical code paths. While we did not identify any critical vulnerabilities in the packages we reviewed, we did identify one issue in an upstream dependency that needs attention as well as a few miscellaneous suggestions worth noting.
A copy of the complete and final audit report can be found here.
The next step for Lodestar will be to complete the upgrade of our codebase to the 0.11.0 spec, which is the last major step before we can join a public testnet. Once this step is completed and the code in our mono repo stabilizes, we plan to obtain a follow up audit on the Lodestar mono repo and the remaining libraries.