Ekleog-NEAR
commented
7 months ago Current status: Work on this is currently happening as a byproduct of #19 only: I need to understand the code in order to properly fuzz it. The work has not really started on this yet, I’m leaving it here for now in order for it to not get lost in the long "ready to be prioritized" unordered column — should probably move to the top of the "prioritized" column but AFAICT this is supposed to be done by the stakeholders meeting.
akhi3030
Goals
Background
We have recently undergone a complete overhaul of our network layer. As such, it has withstood less passage of time than the rest of nearcore. In addition, we have recently received a few (DoS) vulnerability reports on it, which led to bounties having to be paid.
In addition, as network protocol was undergoing a complete overhaul at the time of the Hacken audit, it is the main part of our code that has not received an external audit currently.
Why should NEAR One work on this
We should improve our security posture, by auditing our code ourselves, rather than relying on our bug bounty program to point out our mistakes.
What needs to be accomplished
We need to audit our network protocol layer. Considering auditing is a never-ending effort, we will timebox the audit to the point of diminishing returns, which will most likely be after 1-2 months.
Main use case
Security is the main use case.
Links to external documentations and discussions
None
Estimated effort
The security team, and in particular @Ekleog-NEAR, is expected to work on this project. The estimated time is 1-2 months-person.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list