search

ethereum / ethereum-org-website

Ethereum.org is a primary online resource for the Ethereum community.
https://ethereum.org/
MIT License
5.03k stars 4.77k forks source link

Kiln StaaS Audit Update #7628

Closed GregoireSkillZ closed 1 year ago

GregoireSkillZ commented 2 years ago

Hi, I'd like to suggest an update for Kiln - Staking as a Service provider information.

Since I submitted the original proposal Kiln as successfully passed a SOC 2 (Type1) audit. You can find our audit reports here

Can you please update Kiln card showing we're now audited? Thank you very much.

I'm available at gregoire@kiln.fi if you have any question.

Best,

GregoireSkillZ commented 2 years ago

Hi, I was wondering if you've been able to review the above update.

As a reminder, items to be updated are:

@wackerow please let me know if you have any question to update Kiln card.

Thanks!

minimalsm commented 2 years ago

Hey @GregoireSkillZ, sorry for the delay here.

Audit

Added in #7939 :-) Thanks for the update.

To ensure the link to the audit stays live (Google drive links are notorious for breaking), is this hosted elsewhere (e.g. on kiln.fi)?

Client diversity

We support multi-client with Teku, Prysm, Lighthouse and Nimbus

Were you looking to change Kiln's client diversity score? Apologies if it wasn't clear from the website, but client diversity is about the distribution of the consensus layer clients being usage (not which CL clients are available). Rated.network shows Kiln has 89.4% Prysm usage.

From our website: "Service should not run more than 50% of their aggregate validators with a majority validator client".

Self custody

I'll leave this to @wackerow as I'm not 100% clear on the nuance here.

wackerow commented 2 years ago

Thanks @minimalsm for putting up that PR, just approved it.

For the self custody tag,

we don't custody any funds for staking and are compatible with any custody solutions, including self-hosted

@GregoireSkillZ Help me understand here again in the context of the self custody criteria:

User maintains custody of any validator credentials, including signing and withdrawal keys

Are those using the service in possession or have full access to the keys, both validator signing keys and withdrawal keys (or mnemonic seed)?

GregoireSkillZ commented 2 years ago

Hi Joshua and Paul,

Thanks a lot! No worries about the delay at all. Happy Merge to you :)

We've uploaded our audit reports on the Vanta platform. They can be downloaded from security.kiln.fi.

Regarding client diversity it seems Rated doesn't forward the right information, but anyway we're still >50% on Prysm for now so let's keep it like it is. And also regarding custody, you're right: we still hold the validation keys, so we don't hold to the non-custodial definition here.

So only the audit is to be updated for now :)

Thank you very much,

Le mar. 20 sept. 2022 à 12:52, Paul Wackerow @.***> a écrit :

Thanks @minimalsm https://github.com/minimalsm for putting up that PR, just approved it.

For the self custody tag,

we don't custody any funds for staking and are compatible with any custody solutions, including self-hosted

@GregoireSkillZ https://github.com/GregoireSkillZ Help me understand here again in the context of the self custody criteria:

User maintains custody of any validator credentials, including signing and withdrawal keys

Are those using the service in possession or have full access to the keys, both validator signing keys and withdrawal keys (or mnemonic seed)?

— Reply to this email directly, view it on GitHub https://github.com/ethereum/ethereum-org-website/issues/7628#issuecomment-1252179278, or unsubscribe https://github.com/notifications/unsubscribe-auth/AS4KYMIFNFHCOYEKBFSR2OLV7GJPNANCNFSM6AAAAAAQAEMUQY . You are receiving this because you were mentioned.Message ID: @.***>

--

Grégoire GILLIERS | Sales & Marketing | Kiln https://skillz.mxspruce.com/5d2a0dc26589b9351a19671c/l/356RFiq6CFvlliUgg?messageId=!!!MESSAGE_ID!!!&rn=!!!RECIPIENT_NAME_ENC!!!&re=!!!EMAIL_ADDR_ENC!!!&sc=!!!IS_SENDER_COPY!!!

Exit SkillZ. Enter Kiln! https://skillz.mxspruce.com/5d2a0dc26589b9351a19671c/l/4ajKJT6NlspvRA7ct?messageId=!!!MESSAGE_ID!!!&rn=!!!RECIPIENT_NAME_ENC!!!&re=!!!EMAIL_ADDR_ENC!!!&sc=!!!IS_SENDER_COPY!!!

Mobile: +33 (0)6 46 21 13 28 https://skillz.mxspruce.com/5d2a0dc26589b9351a19671c/l/7WzpvhvezmW3iR2G6?messageId=!!!MESSAGE_ID!!!&rn=!!!RECIPIENT_NAME_ENC!!!&re=!!!EMAIL_ADDR_ENC!!!&sc=!!!IS_SENDER_COPY!!!

Telegram: @OxGregorio

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 45 days with no activity.

wackerow commented 1 year ago

@GregoireSkillZ Thanks so much for clarifying here. Appreciate you bearing with us...

We can update this, but would also like to clarify:

We have a link on hand here which points to a Google hosted file. The link above seems to require requesting access? Is there a link available that would not require requesting access or logging in with Google?

In either case, this would mostly be a back-end update that would not change anything on the front-end since Kiln was already listed has having had a security audit:

image

I will put up a PR to add this security.kiln.fi link to the array of audits. Like I mentioned, this won't result in any changes on the front-end yet, but in the future I'd like to find a way to present this information a little better for users, so worth holding onto.

GregoireSkillZ commented 6 months ago

Hey @wackerow, I wanted to share an update about Kiln for Ethereum.org. You can find the information below:

Kiln update

- Open source: Orange tick? Even though we open-source a part of our stack, such as monitoring, we still don’t fit the 100% open-source/forkable criteria.

Examples of open-sourced internal tools: https://github.com/kilnfi/eth-validator-watcher https://github.com/kilnfi/eth2-keystore-converter

We contribute to the ecosystem by doing analysis at scale and engaging with developers, for example with our work on Web3signer at scale with Consensys which resulted threading improvements on their stack: https://www.notion.so/kilnfi/Learnings-from-running-Web3signer-at-Scale-with-Web3signer-f52dedf706654536acb6aa074cbe234e 15 h 24

We also post our internal research to the ecosystem: https://ethresear.ch/t/empirical-analysis-of-the-impact-of-block-delays-on-the-consensus-layer/17888

- Audited: No update Note that we added multiple new audits on [security.kiln.fi](http://security.kiln.fi/). Also, as per your question above, they're now available outside of Google Drive. Btw I'm curious to know if you found a way to display this in the UI :)

- Bug Bounty: We added a bug bounty of up to $1M on Immunefi: https://immunefi.com/bounty/kiln/

- Battle-tested: Not update Update on AUM to 4.2% of staked ETH, 42k validators, 0 slashing.

- Permissionless: Update → Yes [Kiln dApp](https://stake.kiln.fi/dedicated/stake?w=0x367196A18B7a8c48ff1f13461bC7C5c3a1a2A311) and Kiln Ledger Live app do not require special permission, account sign-up, or KYC to participate in the service.

- Execution diversity: Update → Yes 50.1/49.9 Nethermind/Geth https://supermajority.info/

- Consensus diversity: Update → Yes Balanced 33%/33%/33% with Prysm, Teku & Lighthouse - [see docs](https://docs.kiln.fi/v1/validators/protocols/ethereum-eth)

- Self-Custody: No update Can you confirm that other NOs provide validation keys to their customers and provide more information on how they do that? We’re not doing it at Kiln to prevent slashing risks or other misconfigurations from the customer’s end.

Please let me know if you need any further information about the update.

wackerow commented 6 months ago

Thanks @GregoireSkillZ! Will review this shortly, try to get the info you asked about, and put up a patch

wackerow commented 6 months ago

@GregoireSkillZ I know some providers guide users through the key generation step and only the signing keys are forwarded to the provider; I of course see the trade-off there with potential slashing risk. The following are listed on ethereum.org as having self custody properties if you'd like to investigate any of them further.