As part of our commitment to create the most secure platform, we have conducted two independent external security audits. These have been held by recognized security audit teams: Trail of Bits, and Patrick McCorry and Andrew Miller. Each team was focused on auditing the areas of the code where we believe they could contribute most with their expertise.
Today we are making the final reports available to the public, summarizing the findings and actions RSK team has taken in response. Links to these reports can be found in sections below.
Also, we’d like to remind the community that our vulnerabilities bounty program has already started. The bounty program rewards researchers for reporting not yet identified platform vulnerabilities,
Find below complete security audit reports:
Trail of Bits
Scope of work: smart contract issues related to the virtual machine, virtual machine compatibility with other Ethereum VM implementations, correctness of the Trie data structure, and correctness of the precompiled contracts for the two-way peg.
Link to report: https://github.com/trailofbits/publications/blob/master/reviews/RSKj.pdf
Patrick McCorry and Andrew Miller
Scope of work: first version of the REMASC and Bridge native smart contracts.
Link to report: http://www0.cs.ucl.ac.uk/staff/P.McCorry/rskaudit_ginger_120717.pdf
What’s next
In RSK we believe in defense in depth: that’s why won’t stop at security audits, and we’ll keep thinking how to improve security and adding more security layers in the future.
We are undergoing a third external security audit of the current Bridge contract, while a fourth audit is already planned for the first quarter of 2018. Conducting periodic external security reviews is highly valuable for the development team and the community to continuously validate and improve RSK’s secure development procedures.
We thank security experts Josselin Feist, Evan Sultanik, Patrick McCorry and Andrew Miller for their professional work during the conducted audits.
