[Grant Update] Zcash Ecosystem Security Lead

Hi Zcash community!

At the end of March, our team at Least Authority was selected for the role of Zcash Ecosystem Security Lead (more about that RFP).

Starting in April, as part of our role, we are doing the following:

• Security Audits of Specifications and Codebases, along with published results;
• Short Consultation Sessions, on security topics, as needed, such as incident response investigation and remediation, management of data privacy in systems and threat modeling; and
• Community Engagement, including open office hours.

As noted, we’ll be coordinating our priorities with the ZCG Committee and posting monthly updates about our work here in this thread.

We’d appreciate any feedback, especially about how you’d like us to engage with the community and provide the most effective value in our role.

You can contact us here on the forums, if you have any questions, requests or suggestions!
(You can also contact us at: consulting@leastauthority.com and we are able to chat via Signal, if that is your preference.)

The Least Authority team

April Report:

In April, we have been focused on getting organized with our new role and integrating ourselves into the ecosystem, along with helping out 2 teams with their management of reported vulnerabilities.

Security Audits:

• We met with QEDIT and discussed reviewing the specifications (ZIPs) for the ZSA work they are doing. This will be scheduled to be completed asap.

Consultations:

• We completed a review of the vulnerability management of Zingo and provided a report to the team.
• We completed a review of the vulnerability management of Ywallet and provided a report to the team.

Community engagement:

• We kicked things off with the ZCG.
• We’ve started to chat directly with a few projects in the Zcash ecosystem.
• We introduced ourselves on the forum.
• Supported Ryan’s organizing the Berlin meetup for ZconV at the Least Authority office. (We’ll also be sponsoring the space, along with some food and drinks.)

Please let us know if you have any questions!

May 2024 Report:

In May, we are continuing to get more involved with the community and ecosystem.

Security Audits:

• We started to review the specifications (ZIPs) for the ZSA work for QEDIT. However, we were not able to schedule a kick-off with QEDIT and this work was then paused to allow our team to focus on an urgent review. This review will be rescheduled to be completed asap.
• We started to review the Go Zcash Address parser. This review will be completed and the initial report submitted by June 5th.

Consultations:

• We did not complete any short consultation sessions in May.

Community engagement:

• We are continuing to chat directly with a few projects in the Zcash ecosystem about their needs, along with the ZCG.
• Supported Ryan’s Berlin meetup for ZconV at the Least Authority office. (We sponsored the space, along with some food and drinks.)

Please let us know if you have any questions! We have some availability for short consultation sessions, if you have any needs in the ecosytem - please reach out.

Now for our June monthly report:

Security Audits:

• We completed our initial review of the Zcash Address Go Parsing Library , which was started in May, and submitted our Initial Audit Report, as planned.
• The Findings in the report were sufficiently addressed, we completed the verification review and submitted our Final Audit Report for the Zcash Address Go Parsing Library.

Consultations:

• We did not complete any short consultation sessions in June.

Community engagement:

• We are continuing to work directly with the projects in the Zcash ecosystem about their security auditing and other support needs, along with the ZCG.
• We have some availability for short consultation sessions, if you have any needs in the ecosystem - please reach out.

Let me know if you have any comments or questions!

Now for our July monthly report:

Security Audits:

• We only did outreach and planning for future security audits, this month.

Consultations:

• We did not complete any short consultation sessions in July.
• However, we did start to work on an audit preparation guide.

Community engagement:

• We are continuing to work directly with the projects in the Zcash ecosystem about their security auditing and other support needs, along with the ZCG.

As usual, if you have any security needs in the ecosystem - please reach out!

Hi @Liz315, I’m working on a private p2p e2e messaging system (inspired by messaging that is needed for FROST DKG and signing). I’d love some more eyes to look at the design and the code. I’ll post some updates soon describing it and publishing access to the prototype.

Also, I don’t know if it’s in scope for you all but it’s always nice if someone wants to go through the free2z codebase and make recommendations.

Hi @skyl your project sounds interesting!

Please let us know when you have an update and we can assist with assessing if a review of your project is in-scope for our role.

Our August monthly report:

Security Audits:

• We started an audit of the Zebra updates for NU6.
• We are planning additional audits for September, along with the ZCG.

Consultations:

• We did not complete any short consultation sessions in August.
• However, we did continue to work on an audit preparation guide.

Community engagement:

• We continued our communications with the projects in the ecosystem.

If you have any security needs, please reach out!

Hi Liz would it be possible to to look over the Zcash portion of this DEX code?

Main Repo

The Decred Decentralized Exchange (DEX), powered by atomic-swaps

ZEC portion

Thank you!

Thanks for bringing this up Dismad

Hi @dismad we’ll take a quick look and get back to you asap!

Our September monthly report:

Security Audits:

• We completed our audit of the Zebra NU6 updates (started in August).
• We started and completed an audit of zcashd
• We started two more audits: DCRDEX Zcash integration and the Lightwalletd infrastructure, which both should be completed in October.
• We are planning additional audits for October and November, along with the ZCG.

Consultations:

• We did not complete any short consultation sessions in September.

Community engagement:

• We continued our communications with the projects in the ecosystem.

As usual, if you have any security needs, please reach out!

Our October monthly report:

Security Audits:

• We completed two audits: the DCRDEX Zcash integration and the Lightwalletd infrastructure reviews, both of which we started in September
• We started one audit: the OrchardZSA Protocol review, which will continue through November and should be completed in December

Consultations:

• We did not complete any short consultation sessions in October.

Community engagement:

• We continued our communications with the projects in the ecosystem, including coordination with the ZCG about potential new projects.

As usual, if you have any security needs, please reach out!

We have published the audit report for the Zcashd NU6 updates:

We have published the audit report for the Zebra NU6 updates:

This is our November monthly report:

Security Audits:

• We delivered and published two final audit reports for the reviews of both the Zcashd and Zebra NU6 Updates
• We are continuing one audit (with two parts): the OrchardZSA Protocol review, which started in October and will be completed in December

Consultations:

• We did not complete any short consultation sessions in November.

Community engagement:

• We continued our communications with the projects in the ecosystem, including coordination with the ZCG about a few potential new projects and priorities.

If you have any security needs, especially for Q1 2025, please reach out asap!