Open Ekleog-NEAR opened 8 months ago
Current status: Work on this is currently happening as a byproduct of #19 only: I need to understand the code in order to properly fuzz it. The work has not really started on this yet, I’m leaving it here for now in order for it to not get lost in the long "ready to be prioritized" unordered column — should probably move to the top of the "prioritized" column but AFAICT this is supposed to be done by the stakeholders meeting.
Action item for @Ekleog-NEAR : approach this project as if we were engaging with an external auditor. Define what the focus will be on and what exactly will be audited.
This is currently blocked on https://github.com/near/near-one-project-tracking/issues/19.
I will take advantage of the work in progress there to get used to that part of the codebase. This should allow me to both define a better scope, as well as to be more efficient in my audit, hopefully missing fewer potential issues.
Goals
Background
We have recently undergone a complete overhaul of our network layer. As such, it has withstood less passage of time than the rest of nearcore. In addition, we have recently received a few (DoS) vulnerability reports on it, which led to bounties having to be paid.
In addition, as network protocol was undergoing a complete overhaul at the time of the Hacken audit, it is the main part of our code that has not received an external audit currently.
Why should NEAR One work on this
We should improve our security posture, by auditing our code ourselves, rather than relying on our bug bounty program to point out our mistakes.
What needs to be accomplished
We need to audit our network protocol layer. Considering auditing is a never-ending effort, we will timebox the audit to the point of diminishing returns, which will most likely be after 1-2 months.
Main use case
Security is the main use case.
Links to external documentations and discussions
None
Estimated effort
The security team, and in particular @Ekleog-NEAR, is expected to work on this project. The estimated time is 1-2 months-person.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list