At the request of the Ethereum Foundation, the information security company Least Authority conducted an audit of the Ethereum 2.0 specifications and identified several potential vulnerabilities at once.
At Least Authority reported that developers need to address vulnerabilities in the network layer of peer-to-peer (P2P) interaction, as well as in the block supply system. At the same time, the auditor noted that the specifications are “very well thought out and competent”. However, at the moment there is no large ecosystem built on PoS and using sharding in the world, so it is impossible to accurately assess the prospects for stability of the system.
Also, information security experts stressed that the specifications do not pay enough attention to the description of the p2p network layer and the system of records about Ethereum nodes. Vulnerability risks are also observed in the block supply system and the messaging system between nodes.
Experts said that in PoS-based blockchains, the choice of a new block is simple and no one can predict who will get a new block. In PoS systems, it is the block supply system that decides whose block will end up in the blockchain, and this leads to the risk of data leakage. To solve the problem, the auditors suggested using the mechanism of “Selecting a single secret leader” (SSLE).
As for the peer-to-peer exchange system, there is a danger of spam. The system does not have a centralized node that evaluates the actions of other nodes, so a “malicious” node can spam the entire network with various messages without much punishment. The solution to this problem may be to use special protocols for exchanging messages between nodes.
Recall that in February, Ethereum co-founder Vitalik Buterin spoke about plans to deploy Ethereum 2.0 and explained that the main priority of development during this year remains the launch of phase 0.