certusone
/
xdapp-book
mirror of https://github.com/certusone/xdapp-book.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security page additions

This commit is contained in:
chase-45 2023-01-27 10:37:16 -05:00
parent d878b8b522
commit e3702ae0e9
1 changed files with 59 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
src/wormhole/security.md
View File

@ -35,22 +35,60 @@ Core assumptions aside, there are many other factors which impact the real-world
</br>
## Audits & Bug Bounties
## Audits
Wormhole has been heavily audited, with **16 third-party audits completed** and a total of **26 started**. Additionally it has two bug bounty programs available - one self-hosted program, and one through [Immunifi](https://immunefi.com/).
Wormhole has been heavily audited, with **16 third-party audits completed** and a total of **25+ started**.
Wormhole has had audits performed by the following firms, and continues to seek more:
- Trail of Bits
- Neodyme
- Kudelski
- OtterSec
- Certik
- Hacken
- Zellic
- Coinspect
- Halborn
The most up-to-date list of audits, as well as the final reports can be found [here](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#3rd-party-security-audits)
</br>
## Bug Bounties
Wormhole has one of the largest bug bounty programs in all of software development, and has repeatedly shown commitment to engaging with the white hat community.
Wormhole hosts two bug bounty programs:
- An [Immunifi](https://immunefi.com/) program,
- As well as a [self-hosted program](https://wormhole.com/bounty/)
Both platforms have a top payout of **2.5 million dollars**.
If you are interested in helping contribute to Wormhole security, please look at this section for [Getting started as a White Hat](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md#white-hat-hacking), and be sure to follow the [Wormhole Contributor Guidelines](https://github.com/wormhole-foundation/wormhole/blob/main/CONTRIBUTING.md).
For more information about submitting to the bug bounty programs, look [here](https://wormhole.com/bounty/)
More information about the bug bounty programs, as well as the most up-to-date list of audit reports is available [here](https://github.com/wormhole-foundation/wormhole/blob/main/SECURITY.md)
</br>
## Guardian Network
Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is mostly a limitation of current blockchain technology. The aim of Wormhole is that the security of the Guardian Network will expand overtime, and that **eventually Guardian signatures will be replaced entirely by state proofs**. [More info in this previous section](./5_guardianNetwork.md).
Wormhole is an evolving platform. While the Guardian set currently comprises 19 validators, this is mostly a limitation of current blockchain technology. The aim of Wormhole is that the the Guardian Network will expand overtime, and that **eventually Guardian signatures will be replaced entirely by state proofs**. [More info in this previous section](./5_guardianNetwork.md).
</br>
## Governance
Since the launch of Wormhole v2, all Wormhole governance actions and contract upgrades have been managed via Wormhole's **on-chain governance system**. Guardians manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. This means that **contract upgrades are held to the same security standard** as the rest of the system.
Since the launch of Wormhole v2, all Wormhole governance actions and contract upgrades have been managed via Wormhole's **on-chain governance system**.
Guardians manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. This means that **governance actions are held to the same security standard** as the rest of the system. A 2/3 supermajority of the Guardians are required to pass any Governance action.
Via governance, the Guardians are able to:
- Change the current Guardian set
- Expand the Guardian set
- Upgrade ecosystem contract implementations
The Governance system is fully open source in the core repository. Here are some relevant contracts:
@ -59,6 +97,22 @@ The Governance system is fully open source in the core repository. Here are some
</br>
## Monitoring
A key element of Wormhole's defense-in-depth strategy is that each Guardian is a highly-competent validator company with their own in-house processes for running, monitoring, and securing blockchain operations. This heterogenous approach to monitoring increases the likelihood that fraudulent activity is detected and reduces the number of single failure points in the system.
Guardians are not just running Wormhole validators, they're running validators for **every blockchain inside of Wormhole as well**, which allows them to perform monitoring **holistically across decentralized computing**, rather than just at a few single points.
Guardians Monitor:
- Block Production & Consensus of each blockchain. If a blockchain's consensus is violated it disconnects from the network until the Guardians resolve the issue.
- Smart Contract level data. Via processes like the Governor, Guardians constantly monitor the circulating supply and token movements across all supported blockchains
- Guardian Level activity. The Guardian Network functions as an autonomous decentralized computing network, complete with its own blockchain (Wormchain).
</br>
## Wormchain & Asset Layer Protections
One of the most powerful aspects of the Wormhole ecosystem is that Guardians effectively have **the entire state DeFi available to them**.