- All issues (29) reported in Quantstamp’s audit of Teku Eth2 client have been resolved
- Teku adheres to the Eth2 specification
- No issues related to users’ stakes being at risk
- Teku is an Eth2 client written in Java; it implements a full beacon chain node
- Eth2 aims to improve the scalability of the Ethereum blockchain network by partitioning it into shard chains
- The beacon chain is the first deliverable (phase 0) in Eth2’s roadmap
- Eth2 relies on a Proof-of-Stake mechanism
- The beacon chain scans, validates, collects votes, and pays out rewards to validator nodes that correctly attest blocks; offline validators have a penalty reward, whereas malicious ones lose a share of their stake if they propose invalid blocks.
- Check adherence of the Teku implementation against the beacon chain official specification
- Investigate if Teku is subject to denial-of-service attacks, i.e., attacks that could cause the network or the node to become inoperable
- Investigate if Teku could face data loss
- Investigate if private keys could be stolen or exposed in the given implementation, leading to potential impersonation and/or unauthorized data transfers
- Identify potential threats related to running a Teku node
- The source code of the Teku node
- The supporting utility library for handling public/private key and signatures (signers)
- The supporting network discoverability component, which dictates how to find other nodes within the network (discovery)
- The supporting peer-to-peer layer (jvm-libp2p)
- Code audit
- Quantstamp reported the audit code to be of high quality, being well-written and easy to follow
- Initially, 29 issues were reported; no issue was left unresolved
- After the fixes, no deviations from the Eth2 were further identified.
- Reading of the code of the components under scope, matching them against any given and applicable spec (e.g., Eth’s 2 - phase 0)
- Running automated tests
- Use of static analyzers to identify code smells
- The 29 issues identified by Quantstamp included 1 high severity issue, 8 medium severity issues, 8 low severity issues, and 11 informational issues, and 1 undetermined issue (damage cannot be assessed). For any issue in the high-medium-low range, the higher the severity of an issue, the higher the damage it could cause. Informational issues do not pose a security threat, but are worth pointing out to the team.
- After the issues in the report were presented and the Teku team worked on the fixes, all issues were either acknowledged (8) or fully resolved (21). No issue was left unresolved.
- Among the issues found (see full list in Fig. 1), Quantstamp described two cases of a denial-of-service attack, one resulting from an unbounded message queue (QSP-1, high severity) and another from a flaw in the beacon chain spec itself (QSP-3, medium severity). Deviations from the Eth2 beacon chain spec were also identified (e.g., QSP 7-9 and QSP-16), but all of them were later fixed as the audit progressed. Issues in the code that broke Java related idioms were also found (QSP-20, QSP-25, and QSP-27), but were found to be only informational. A case of a racing condition (QSP-29) was also identified, but Quantstamp could not assess its impact, leading to an undetermined issue (which was fixed nonetheless).
- Overall, Quantstamp did not find issues related to cases where users’ stake could be at risk; while the network and the node itself could be subject to a denial-of-service attacks, fixes were provided and the identified attack vectors have been mitigated.
Fig.1 A complete list of all the issues found in Teku’s audit report performed by Quantstamp