Review & Audit Procedures

Introduction

This document provides a guide for Ethereum node operators on the best practices for conducting IT security-related reviews and audits. It aims to ensure the security, efficiency, and compliance of the node operations within the Ethereum network.

See as well the NIST Technical guidance to Information Security Testing and Assessment : https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

1. Internal Reviews vs External Audits

Internal Reviews:

  • Purpose: To conduct self-assessments of the node's operation and management

  • Process: Conducted by the node's operating team using internal checklists and monitoring tools

  • Benefits: Quick identification and rectification of operational issues and continuous improvement at a low cost

External Audits:

  • Purpose: To provide an independent assessment of the node's operation and compliance

  • Process: Conducted by third-party experts or audit firms specializing in blockchain technology and IT security

  • Benefits: Provides credibility, helps in identifying blind spots in internal reviews, and ensures compliance with industry standards

2. Types of Audits to be Conducted

Infrastructure Audits:

  • Purpose: To identify vulnerabilities, ensure alignment with best practices, and ensure that the node is secure from internal and external threats

  • Key Areas: Examples are network access points security, patching, set-up of the failover system, back-up, access management, slashing protection, key management and data encryption

Smart Contract Security Audits:

  • Purpose: To identify vulnerabilities in the smart contracts developed by the node operator

  • Key Areas: Examples are Smart Contract security audit or deployment audit

Compliance Audits:

  • Purpose: To verify adherence to regulatory requirements and Ethereum network standards

  • Key Areas: Validate node's alignment with Ethereum's protocol updates and adherence to legal regulations concerning cryptocurrency operations (e.g. OFAC MEV compliance and KYC compliance)

Performance Audits:

  • Purpose: To assess the efficiency and stability of the node

  • Key Areas: Block propagation time, transaction processing speed, uptime metrics, and resource utilization (such as CPU and memory usage)

3. When to Perform Audits

Regularly-Scheduled Audits:

  • Frequency: Conducting audits regularly ensures consistent security. Regular audits are required as security standards change over time and new vulnerabilities and attack vectors are published.

  • Scope: These audits should encompass all types of audits mentioned under section 2.

Event-Triggered Audits:

  • Triggers: Perform audits in response to specific events such as network upgrades (hard forks), security breaches, updates of the smart contract, compliance events, performance issues, or major infrastructure updates.

  • Focus: These audits should primarily assess the impact of the event on your node's operation and security.

4. General Suggestions for Internal Audit

Responsible Person:

  • Assign a dedicated team or individual responsible for conducting and overseeing the audit process.

  • This role includes planning, executing, and following up on audit findings.

Well-defined Checklist:

  • Internal Audit Checklist: Develop a comprehensive list covering all aspects of node operation, including security, performance, and compliance. This checklist should be regularly updated to reflect changes in technology and regulations. This checklist should be created with input from the internal team and, if possible, checklists from external sources.

  • External Audit Checklist: For external audits, prepare a list that includes areas for external verification.

Documentation Approach:

  • Establish a systematic approach for documenting the audit process.

  • This should include the responsible person, types and dates of audits having been conducted, audit reports, methods used conducting the audit, scope of the audit and audit vendor.

Documentation of Results:

  • Create a structured format for reporting audit results.

  • This should include detailed findings, recommendations, and any corrective actions taken.

  • Ensure that these reports are accessible to relevant stakeholders for review and follow-up.

Last updated