Security Audit

Summary

Nimbus has undergone an extensive, multi-vendor (ConsenSys Diligence, NCC Group, and Trail of Bits) security assessment over a period of many months. During that process, we were notified of several issues within the codebase. These issues have been addressed and the overall security of the Nimbus-eth2 software has been drastically improved.

Additionally, as a result of the work done from our security vendors, we are now working to incorporate many new security processes and tooling to improve our ability to find security issues in the future.

For more information on the issues and how they were addressed, the interested reader should direct themselves to the scoped repositories; all reported issues and their mitigations are open to the public.

History

Back in May of last year (2020), Status and the Nimbus Team posted a Request for Proposal document regarding the security assessment of the nimbus-eth2 repository (formerly nim-beacon-chain) and its software dependencies.

After thoroughly vetting and weighing the submitted proposals, 3 security vendors were chosen to review the codebase for a timeline of approximately 3 months.

The kickoff announcement can be read here.

We separated the codebase into sub-topics with various tasks. These tasks were then broken up and assigned to the vendor(s) with the required expertise.

The desired deliverable outcome was GitHub issues in the repositories under review, which is a shift from the standard “assessment report” provided by most security assessments in the space. You can view the issues here.

To be very clear, we did not engage in this security assessment to get a stamp of approval from the security community. All of the effort put into creating this process and engaging the community was in the service of increasing the level of security and code quality of the Nimbus software.