Parity has worked closely with Trail of Bits since the start of the audit to ensure proper implementation of not only the fixes to the code, but also to improve our coding and review practices.
The report and fixes
All findings from the report have been addressed. The full report is online and can be read here.
The Solidity parts of our code have also been fixed in full, and the code can be viewed in our new contracts Github repo. Parity Technologies is a core infrastructure company, and therefore many of our application-level Solidity components have been deprecated. We are focusing on writing and maintaining a minimum number of secure contracts, using them only where absolutely necessary. We haven’t deployed all the contract improvements to the main networks yet, as no actual live contracts were found to have exploitable vulnerabilities in them. As for all other improvements, it takes time and careful planning to deploy those to the live networks (involving, say, the governing authority set for our Kovan network), and we’re taking time to properly test and incorporate the updates in the next releases of our Parity Ethereum client.
In the report, Trail of Bits noted that our Rust code is of very high quality. We quickly made all of Trail of Bits’ recommended fixes to the Rust codebase over the last few months, and we fully incorporated the fixes in our most recent stable and beta releases. We’ve followed the recommendations by Trail of Bits to change the code where needed, and also moved to using more robust Rust cryptographic libraries that have been better audited.
Completing an audit is just one part of our focus on security. From our work with Ethereum to Polkadot and Substrate, security is a crucial step in building the infrastructure for a successful decentralised web. Every pull request and its reviews are made knowing the critical importance of secure code.
We now have very strict procedures on how we change smart contract code. To support the smart contract community in continuously improving best security practices, Kirill will explain our strict procedures in an upcoming post. Additionally, our Bug Bounty program is an important part of keeping our codebase secure, and we encourage smart contract and Rust specialists to learn more about the program and start digging into our code.