A Year of Research at OpenZeppelin

Originally published at: https://blog.openzeppelin.com/a-year-of-research-at-openzeppelin/

OpenZeppelin’s Research team

We’re a team of hackers, developers, cryptographers, mathematicians, engineers, physicists, cypherpunks, and blockchain enthusiasts. We’re distributed across the globe, and our main role at OpenZeppelin is to break audit blockchain-related projects and carry out open-ended research.

Having a dedicated group of security experts and researchers forming the Research team allows us to make the most out of our audit engagements. Understanding the internal mechanics of the most prominent projects in the space is fundamental to nurture our products with first-hand insights of the main pain points that developers may encounter. As an excellent side-effect, auditing opens up several avenues of research in innovative technologies.

You probably know our team best from our public audit reports, but today, we’re opening up the curtains to give you a sneak peak into other things we do at OpenZeppelin.

From scratch

Since its inception, OpenZeppelin has been known for its high-quality security audits in the Ethereum ecosystem. In fact, our world-famous Smart Contracts library was born out of all our learnings from the smart contract audits we did back in the first days. As an ever-growing and thriving startup, one year ago, we set out to add structure and formalize our security audits team – we dubbed it the Research team.

At the beginning, we deliberately prioritized our auditing work and shaping up the team and its processes before allocating time for research projects.

Later, in early 2019, we started paying more attention to our research initiatives, but we were still not entirely satisfied. In parallel, we had already been making great efforts to grow the team for a few months. That would enlarge our bandwidth, and as a side effect, it would probably give us the flexibility to do more research without compromising our auditing work.

The three research groups

Having doubled the team’s size, in May 2019, we brainstormed potential lines of research. We realized it was about time we started formally and explicitly allocating time for it. Three autonomous, self-organized, research groups were born: 0-day Task Force, Auditing Tools, and Cryptography.

The 0-day Task Force was named recently. Our hackers had been hunting down critical bugs in live systems way before this group was even born. That’s how we found, in a joint effort with Coinbase, a critical vulnerability in Maker DAO’s governance system that could have halted over $100M if exploited. Later in the year, OpenZeppelin’s 0-day Task Force was in charge of finding and responsibly disclosing a severe vulnerability in Libra’s Move IR compiler.

Regarding the Auditing Tools group, it started out testing the available tools in the space to understand which ones would be more suitable for our audits. And well, we realized they were not quite there yet. A paradigmatic example is our widely-acclaimed post on how automated tools failed at detecting the critical vulnerability we had found in Maker DAO.

Our Cryptography research group has continuously expanded our team’s knowledge with the most relevant cryptography techniques used in decentralized protocols. Its insights have impacted many of our audits this year, allowing us to uncover severe vulnerabilities during our engagements.

But that’s not all! After nearly six months at these research initiatives, we are proud to share with the community a rundown of many other achievements. So here we go! 🚀

0-day Task Force

As we said, this group spends its research time hunting down vulnerabilities in blockchain-related live systems. Of course, we look up to Google’s renowned Google Project Zero. Some highlights:

Auditing Tools

  • Formal Verification of ERC20 implementations with VeriSol.
  • VeriMan: a prototype for a smart contract analysis tool (with an introductory post).
  • Researched available tools for smart contract analysis, which led us to understand that they can be useful at detecting low-hanging fruit, but by no means should they replace security auditors.
  • Coded Slither scripts and published a related post. In a joint cross-team effort, these scripts have now become OpenZeppelin’s ERC20 Online verifier, an online tool to easily check for compliance against the most popular token standard.
  • Pocketh: a swiss-knife tool for auditors with helpful scripts to ease the auditor’s job.
  • Internal talks to introduce program analysis tools and formal verification.

Cryptography

Published “The crypto in cryptocurrencies” series already with 4 technical articles on cryptography:

This group also delivered internal talks on cryptography-related topics, proposed fun cryptography challenges, and is now exploring implementations of promising techniques such as Zero Knowledge proofs.

And more

Our curiosity isn’t confined to these 3 groups—we have also, to different extents, researched:

Join us!

At OpenZeppelin, we all share an intellectual curiosity that drives us in our everyday job. It’s no surprise though, as Intellectual Curiosity is one of OpenZeppelin’s six core values. Our Research team has tripled in a year, and it’s healthier than ever. We’re not only willing to keep auditing the leading projects in the space but also to continue learning and exploring, always sharing our learnings with the entire community.

This has been just a snippet of all we have done, and we’re still hungry for more. And you know what? You can join us in this incredible endeavor, because we’re hiring!

6 Likes