Zcash Ecosystem Security Lead

Hi @earthrise!

The ZCG committee met and discussed your grant proposal. We’re very excited about the opportunity to have someone with your background working independently of the ZF and ECC and in partnership with the community to secure the Zcash ecosystem. Overall your proposal looks strong and you have strong support from the community, but we have not voted on it yet. There is some hesitancy within the committee for funding via a salary-like milestone approach vice funding with specific monthly milestones in mind due to not fully understanding if there is enough work in the ecosystem for a full year agreement. With this in mind, we have a couple of clarifying questions for you about your grant proposal.

  1. In your proposal you mention “The projects I choose to audit will be at my discretion (where I think review is most needed based on usage and risk), with input taken from the community and the grant committee”. You also mention in a forum response that the first 3 months would likely encompass ZecWallet-lite, Nighthawk, and the preliminary designs for ZSAs. Noting the current absence of comments from these projects on your proposal thread, we’re curious if you have had the opportunity to communicate with them privately to gauge their willingness to partner. Can you elaborate on other ideas you have for security audits/research/etc that could help persuade the committee that there is no shortage of security related work to be done?

  2. We do not want to approve grants that are too open-ended resulting in required salary-like payouts for less than the agreed-upon effort (i.e. paying out for 17 days of work when only 10 were necessary that month). We’re optimistic that you will find the projects and partnerships necessary to earn the full 17 days of payment each month. You suggested the outreach and auditing buckets may vary in a given month which is understandable. We also recognize that there may be months when the full 17 days of work isn’t needed or more than 17 days of work is performed. In that case we would look to adjust the milestone payouts within the total budget allocated to the grant as necessary. The new grants platform provides the ZF more flexibility in managing milestones, and the committee has been flexible with grant applicants in this manner in the past. We would like to make sure that you’re comfortable with this and are thinking about the milestone payouts as flexibly as we are.

  3. How would you prefer to collaborate with ZCG on ongoing efforts, embargoed audit reports, our thoughts about ecosystem audit needs, etc? Perhaps a monthly meeting that occurs before applying for the current month’s milestone payout to review the efforts from the current month and planned efforts for the next along with any other agenda items?

@ZcashGrants

7 Likes

You mean 17 days.

1 Like

Yes, Thank you :slight_smile:

1 Like

I think this should be the way to go about it. Harm reduction.

3 Likes

You also mention in a forum response that the first 3 months would likely encompass ZecWallet-lite, Nighthawk, and the preliminary designs for ZSAs. Noting the current absence of comments from these projects on your proposal thread, we’re curious if you have had the opportunity to communicate with them privately to gauge their willingness to partner. Can you elaborate on other ideas you have for security audits/research/etc that could help persuade the committee that there is no shortage of security related work to be done?

I haven’t reached out to those projects yet – I will do so now to get their feedback on the idea!

In terms of amount of work, I actually have the opposite concern, which is that 17 days might not be enough to support the entire ecosystem and we’ll have to expand this program in the future!

It’s pretty common for audits to always run out of time, having to exclude certain things from the scope for the sake of being able to finish within the timebox. It’s somewhat of an inside joke between auditors that all the reports say “security analysis of dependencies is out of scope and left for future work”, and then that future audit never happens :rofl:. So, even with a few projects, there’s an almost-never-ending supply of important audit work. I’ll take a look through some community projects and put together a more concrete picture of what this will look like.

This raises another question, which is whether we should include other security support work aside from audits and direct support for community projects. This would be stuff like:

  • Consensus rule compatibility review between Zcashd and Zebra.
  • Creating proof-of-concept attacks for the light client network privacy vulnerabilities.
  • Designing/developing production-quality infrastructure for running lightwalletd.
  • Setting up a contact email to assist projects with vulnerability disclosure triage and responses.
  • Security trainings for the community (e.g. a class on writing exploits so developers better understand what vulnerabilities are and how to think about them)

I’d be happy to include some of these items as well, however it’d quickly start to need more than 17 days/month, so I’d recommend prioritizing the outreach/audits (“find, fix, and prevent bugs”) and then using any slack time for these extra projects.

We also recognize that there may be months when the full 17 days of work isn’t needed or more than 17 days of work is performed. In that case we would look to adjust the milestone payouts within the total budget allocated to the grant as necessary. The new grants platform provides the ZF more flexibility in managing milestones, and the committee has been flexible with grant applicants in this manner in the past. We would like to make sure that you’re comfortable with this and are thinking about the milestone payouts as flexibly as we are.

Yep, that makes sense to me! I predict that I’ll be able to fill the time, but in case I don’t, then of course I won’t bill for it. I also might take a couple weeks off for a vacation here and there, and in that case the payout would be delayed until all the work is finished or reduced so that you’re always only paying in proportion to the work that was actually done.

How would you prefer to collaborate with ZCG on ongoing efforts, embargoed audit reports, our thoughts about ecosystem audit needs, etc? Perhaps a monthly meeting that occurs before applying for the current month’s milestone payout to review the efforts from the current month and planned efforts for the next along with any other agenda items?

That sounds great to me, a monthly call is probably the best format!

For embargoed audits—we might not want to disclose the fact that a report is being embargoed, because that will tip attackers off that there’s a severe vulnerability in the project under review. To mitigate that risk, we could either (a) keep the identity of the project under review secret until the review is complete, or (b) publish the audit report minus the critical vulnerability. I prefer (a), since (b) is a little bit dishonest to anyone using the audit report to make a decision whether or not it’s safe to use the project. Do you have any thoughts/preferences on this?

I’ll get back to you with some more specifics on what the audit/outreach effort will look like!

11 Likes

In order to justify how much work there is to be done to support Zcash ecosystem security, here’s a list of projects I’d consider to be in scope and would probably be worth prioritizing in the first year.

Note that I haven’t started digging into any of the code or spoken with the developers in order to work out a relative prioritization yet. Prioritization would be based on a number of factors I mentioned above such as project activity, apparent quality of the code, amount of users, overall risk, etc.

Unless otherwise stated, I’d say all of the following would benefit from the full 10-day audit.

Edit: I’ve later added some things suggested in replies.

Community Wallets

Wallets are on the front lines, and since they are responsible for storing users’ funds, they are what will expose the most users to the most risk, so they should be our highest security priority.

  • ZecWallet
  • ZecWallet-Lite
    • I’d especially like to review the advancements in syncing and other major differences between this wallet and ECC’s wallet code, as well as the future work to add Orchard support.
  • NightHawk
  • Unstoppable
  • Edge
  • Zephyr
    • I’m really excited about Zcash in the browser! Browser security models are “fun”!
  • Ywallet

Crypto-Heavy or Privacy-Related Stuff

I love crypto so these will be really fun to audit. :smiley:

Things Built on Zcash

My vision for Zcash is to become a platform for developers to build awesome things on. That way, we can reach into totally unexpected use cases beyond payments and wallets. Eventually one such project will turn out to be a hit, and we’ll want to make sure it’s secure.

  • Zbay
  • ZECpages (5-day audit is probably sufficient)
  • free2z (5-day audit is probably sufficient)
  • …and lots more to come, I hope!

Supporting Infrastructure

  • lightwalletd hosting and maintenance
    • Here it would be useful pen-test the actual running infrastructure and suggest design improvements like more-private logging, using sentry nodes to protect the main zcashd node, and ephemeral instances to reduce the blast radius of attacks intending to compromise users’ privacy.

I’m probably missing a lot! @ me if you’d like to see your project added to this list. I also had the opportunity to skim through the grant application list and there are a bunch of cool ones I hope will be funded in the future, like shielded multisig once FROST is available.

13 Likes

I’d actually skipped over the above statement and went straight to the list of projects and thought “wallets - 2weeks each”.

Not my day job but had one (an audit) done the other month. Just wanted to add an outside opinion that those figures checkout (roughly) for all the projects listed.


Note: There’s a solid 7+ months of work as it’s listed. As previously stated it’s all about scope in this line of work. I haven’t looked at how big the codebase are but you could honestly spend a month looking at code and still pick meaningful things up. So personally I wouldn’t worry too much about lack of work. It’ll just be that the lucky teams that are around now will get more focus which is definetly never a bad thing for critical infrastructure like wallets.


@earthrise based in all the knowledge gained from app/wallet audits I wonder if it’s worth doing another round of zcashd/zebrad RPCs from the outside and making recommendations. (Full understanding existing RPCs can’t be changed). I guess that’ll become more obvious over time.

3 Likes

Is there place in your wallet list for Ywallet?

8 Likes

Yep, Ywallet is on the list now!

10 Likes

We’re actually trying to change this! In zcashd 5.0.0 we introduced a deprecation framework, to provide an explicit process and timeline for making changes. We’re still going to be careful about the changes we do make, as before, but the idea is we have something more tangible than a “this is deprecated” note in the RPC’s help text.

2 Likes

That’s a great idea! It’d be interesting to do a “secure usability” survey of the ways the RPCs are being used by community projects, asking “what common problems could be avoided by making changes to the RPCs?”

1 Like

That’s great news!

Sounds like a good name for it :relaxed:.


That also makes me wonder if ZCG should fund a RPC fuzzy tester. Maybe we’ll get lucky and find a team has already written one? As an example I wouldn’t be surprised if some apps aren’t fully testing against RPCs that rarely (but can) return an empty lists. Something @earthrise can advise the community on as they (hopefully) begin work :slightly_smiling_face:.

Hi everyone,

We had a great conversation with @earthrise on Friday about his grant proposal. We discussed Taylor’s background, motivations for this grant, and his vision for success for this grant and the Zcash ecosystem. We also discussed some expectations the ZCG committee has and clarified a few points of concern.

Our outline of expectations include:

  • Monthly milestone payments will be adjusted based on work completed in a given month, not to exceed the overall approved grant funding cap.
  • The applicant will participate in a monthly call with the ZCG committee before billing the current month’s work to discuss the following:
    • Proof of work to be billed for the current month.
    • Work planned for the next month
    • Prioritization of future work with input accepted from the ZCG and broader Zcash community.
    • Relationship building accomplished within the community.
  • The applicant is required to work with ecosystem developers and partners via their preferred communication channels.
  • The applicant is required to follow responsible bug disclosure best practices, and when available, adhere to the disclosure policies and channels of the organization in which they are supporting.
  • All testing software, hardware, and other expenses related to the work performed under this grant are the responsibility of the grant applicant.

We are less concerned about there being enough work to fulfill the full year of support Taylor is proposing. We think Taylor has a lot of great ideas and is on the right path in terms of prioritization of the efforts he envisions pursuing. In addition to performing audits, Taylor also wants to provide ad-hoc security guidance to developers in our ecosystem which can be achieved through the building of relationships with the ecosystem of developers. These kinds of relationships could help projects get ahead of security issues before they occur rather than waiting for an audit finding to come knocking. We like this proactive approach.

While we are deliberating internally and getting our newest ZCG member @dontpanicburns up to speed on the grant we want to hear more from developers in this ecosystem - Are you open to building a relationship with Taylor, interested in seeking his guidance for security related topics, and open to leveraging his expertise for security audits and other purposes?

@adityapk00 @NighthawkApps @hanh @skyl @birdify @zancas @little.slingshot @pitmutt (The forum will only let me tag 10 people total)

:smiley:

14 Likes

Also note that I’ve pushed the deadline for the first milestone back one month to the end of September. This will leave time for ZCON, DEF CON, and hand-off of my current responsibilities.

8 Likes

I think (? @zancas @AloeareV ?) I speak for everyone at Zingolabs, when I say we would be very open to working with @earthrise !

6 Likes

We are definitely open to working with @earthrise. Having this type of resource available for the ecosystem will add tremendous value.

I also think this model could be replicated for other consulting-type services the ecosystem could use, like legal reviews (Terms of Use, licensing, etc).

5 Likes

I would add design and documentation for this. Even maybe i18n/l10n if Zcash gets more adoption.

2 Likes

Having design services for the ecosystem, especially if it can keep the theme of CypherPunk Zero going, would be quite interesting.

2 Likes

Absolutely! I’m formulating a question or two right now that I’m going to ask in private to get the ball rolling.

4 Likes

Hello @earthrise & Zcash Community, I am happy to announce that at the recent @ZcashGrants meeting earlier this week, the committee has unanimously voted to approve this grant!

13 Likes