We are pleased to announce two new security initiatives, involving partnerships with Immunefi and Certora, aimed at further enhancing the integrity and security of OpenZeppelin Contracts. With over four million downloads to date, we understand the community relies on our smart contract library as an essential building block for Web3 development. These new partnerships and measures are part of our continued commitment to grow and protect the decentralized economy.
OpenZeppelin Contracts is a library for secure smart contract development. Web3 developers use this library to build on a solid foundation of community-vetted code. The library includes popular implementations of ERC20 and ERC721; flexible role-based permissioning schemes; reusable Solidity components; and more.
“Security is always top of mind for our development team given vulnerabilities in our library can impact projects with billions of dollars in locked value. In the last several months we shipped the Smart Contract Security Registry and introduced an extended community review period. Our new partnerships are a continued movement in this direction,” observed Santiago Palladino, Head of Development. “With Immunefi, we launched our first formal bug bounty program. Additionally, Certora is engaged in a formal verification and an ongoing audit of OpenZeppelin Contracts.”
Immunefi Bug Bounty Program
Bug bounty programs offer a proven and effective way for open source projects to maintain security while scaling. In the past, we awarded bounties to white hats who submitted critical vulnerabilities. Our partnership with Immunefi, the leading DeFi bug bounty platform, establishes our first formal bug bounty program with up to $25,000 bounties.
The areas of interest for the bug bounty program are as follows:
- Loss of funds by freezing or theft
- Denial of service (smart contract is made unable to operate)
- Access control is bypassed, including privilege escalation
- Smart contract does not behave as intended
“We are pleased to serve as the formal home for OpenZeppelin’s bug bounty program. Helping safeguard one of the most popular smart contract libraries will help remove security risks and protect users, furthering our mission to safeguard all of Web3,” observed Mitchell Amador CEO and Founder of Immunefi.
A low level vulnerability was already awarded through the library; the fix’s pull request is available here. Read more about payout thresholds, prioritized vulnerabilities, and Immunefi’s threat classification levels on the program’s official page.
Certora Formal Verification
Formal verification produces a proof that a piece of software — in this case of our open source smart contract library by Certora — satisfies a specification, helping to establish a baseline of properties verified and any bugs discovered. Certora completed the first stage of the process last Monday publishing a review of OpenZeppelin governance contracts. Next, the team will continue working on the remainder of our contracts, ranked by the OpenZeppelin development team in order of importance.
“Our formal verification of one of the most widely used open source smart contract libraries will convey the benefit of our prover technology to the world of OpenZeppelin smart contract users,” said Mooly Sagiv, CEO of Certora. The formal verification system, Certora Prover, can check at compile-time that all executions of a smart contract fulfill a standard set of security rules. We will use Certora Prover as part of the continuous integration pipeline for future updates to the library.
We would also like to thank the Ethereum Foundation for providing a contribution of $100,000 in support of the initiative.
Ongoing Smart Contract Standardization and Security
In addition to our work with Immunefi and Certora, we recently took a number of additional steps to further invest in the integrity and security of OpenZeppelin Contracts. Some highlights include:
- Doubling the development team working on contracts
- Establishing a community review period for new releases, which includes regular public calls
- Creating and releasing the Smart Contract Security Registry so projects with value locked in OpenZeppelin Contracts can be alerted of vulnerabilities before public disclosures. Sign up for the registry here.
- Continued support of Contracts Wizard, our simple smart contract creation tool leveraging our libraries, prompts builders to use the latest smart contract builds with proper notation.
We hope that these initiatives and more to come will strengthen our library and the developer community’s ability to build better and scale securely. Learn how to contribute to the Immunefi bug bounty program here and read Certora’s first report here. Join us January 29th at Stanford University’s DeFi Summit where we will host a panel with Certora.