[Exclusive] Former Ethereum Core Deve on EOS Security Issues
Updated: Jun 27, 2018
The other day, I had a chat with Gustav Simonsson on the pleasant Brooklyn riverside. As the developer who fixed many security bugs of Ethereum in the early days and participated the rescue fight during DAO crisis, Gustav has a lot to say about the recent EOS security issues.
Here is the exclusive interview and transcript. Enjoy!
GUSTAV: They didn't really have a security team. They didn't really have enough audits or enough public review before they launch it. It seems to me like they were developing up until the deadline they imposed on themselves. And then they're just trying to launch it. And then you find these critical bugs.
And the other thing is they're not defining the protocol in sort of a client agnostic way. There's no mathematical specification of the EOS protocol. They have a wiki page where to sort of describe how it works. But basically the EOS protocol is defined as whatever the C++ client does, which is kind of the same way that the Bitcoin protocol is defined.
If I have done [it], I would have at minimum two clients implementing the same protocol by two different teams. I would try to define a specification that both of these clients can follow. I would try to get, you know, much more academic review. You need to engage with not only security firms, not only open source developers, but also academics who are now studying this protocols for several years. You have to get diversity in the people who are reviewing the protocol and the clients. And you need to go through that.
BIANCA: So you weren't surprised they had problems?
GUSTAV: I was not surprised at all. I mean I haven't seen, I haven't heard about, any audits or any you know. They've paid out a few hundred thousand dollars to people who found bugs. So they did that right. But that was way too late. That's something you start with, you know, at minimum eight or twelve weeks before the launch.
You look at the top tech firms like Google, Facebook, and Amazon. They have this bug bounty programs, right? If you hack the backing server, you'd get something like 20 to 30 thousand dollars. And that kind of shows you how confident they are in their security.
The same thing should happen for every blockchain network that's live. The longer you’re live, the more money people should be able to give out to people who find critical bugs. I think in not too many years, we will see bug bounties where if you find a critical bug in a blockchain protocol or implement declines, then you will get one million dollars. I think that will happen in maybe as soon as five years.
BIANCA: And if the security is the weak point, why do you think people are so excited about it?
GUSTAV: I think very few people are aware of the security requirements, what you need to build new a blockchain. My generation of software engineers, we have been taught to move fast and break things. That doesn't work for building a blockchain. You can move really fast and you can break things while you're sort of in the prototype phase. You can use that approach to quickly develop the sort of the core client. But at some point, you need to take a lot of time to really lock down all the features, lock down the scope and work only on fixing security bugs. I think investors now are getting more and more educated about it. That's I think that's a good thing.
BIANCA: They are learning their lessons now.
GUSTAV: One good thing about the EOS launch is that it educates investors about the need for security, and how money is not enough. Money itself doesn't solve everything.