You've successfully subscribed to CasperLabs Blog
Great! Next, complete checkout for full access to CasperLabs Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Trail of Bits has Completed an Audit of the Casper Highway Protocol

An overview of the December 2020 audit of Casper’s Highway Protocol completed by Trail of Bits.

Medha Parlikar
Medha Parlikar

Published today, Trail of Bits has completed an audit of the Casper network Highway Protocol. The Trail of Bits audit “did not produce high severity results and showed proper use of security hygiene.”

View the Audit

Engagement Scope

The Trail of Bits audit was completed between November 16th and December 1st, and encompassed an assessment of CasperLabs’ Highway consensus protocol. The audit sought to answer critical questions, including:

  • Will misbehaving validators be punished?
  • Is the system prone to a resource exhaustion attack?
  • Are units appropriately validated before being appended to state?
  • Can an attacker game the system such that they are selected as the next leader?
  • Is LNC validation appropriately implemented? Is the buffer mechanism for LNC validators appropriate?*

*LNC is “Limited Naivety Criterion.” Learn more in the Casper Highway Protocol paper.

Engagement Findings

The security audit yielded three findings, 1 of “informational severity” and 2 of “low severity.”

  • LNC validation not implemented (informational severity)
  • Peers are not punished for sending invalid vertices (low severity)
  • Insufficient rate limiting mechanism (low severity)

In addition, the Trail of Bits team offered recommendations to improve the clarity and detail of portions of the Highway Protocol documentation itself.

CasperLabs’ Fix Log

CasperLabs received and reviewed the Trail of Bits audit, and made changes to the three findings.

  • LNC validation not implemented. Fixed.
  • Peers are not punished for sending invalid vertices. Partially Fixed. The risk associated with this issue is noted as very low in practice.
  • Insufficient rate limiting mechanism. Partially Fixed. The risk associated with this issue is noted as very low in practice.

The CasperLabs team also adjusted the relevant portions in the protocol paper pointed out by the Trail of Bits security audit as needing improvement.

CasperLabs thanks the Trail of Bits team for the engagement and audit.

View the Audit

Join Telegram and stay up to date with CasperLabs announcements and the Casper mainnet launch + token sale.

Medha Parlikar

CTO & Co-founder. I organize stuff

Stay in touch