At the end of March 2024, our team at Least Authority was selected for the role of Zcash Ecosystem Security Lead, after responding to a Request for Proposals (RFP) for the role on the Zcash Forums.
Per the Zcash Community RFP:
“This role is integral in enhancing the security, usability, and overall trust within the Zcash ecosystem. The selected entity will be responsible for performing security audits on community projects, coordinating responses to vulnerabilities, and offering expert advice on project security to both ZCG and the wider Zcash community.”
Now, as the Zcash Ecosystem Security Lead, we:
- Perform security audits of specifications and codebases and publish the results to promote transparency and ethical practices;
- Provide short consultation sessions on security topics, as needed, such as incident response investigation and remediation, management of data privacy in systems and threat modeling; and
- Participate in community engagement and offer open office hours.
The Zcash Community Grants (ZCG) program is the grantor, and we are the grantee. We additionally coordinate our priorities with the ZCG Committee and post monthly updates. ZCG funds independent teams entering the Zcash ecosystem, thus allowing them to perform major ongoing development (or other work). Funding for Zcash Community Grants comes from the Major Grants portion of the Zcash Dev Fund. Grants are chosen by a five-person committee elected by the Zcash Community.
Notable Events and Projects Completed:
- In April, we completed a review of the vulnerability management of Zingo and provided a report to the team.
- In April, we completed a review of the vulnerability management of Zwallet and provided a report to the team.
- In May, we hosted the Zero-Knowledge Audio Visual Club’s Berlin meetup for ZconV event at the Least Authority office.
- In June, we completed our initial review of the Zcash Address Go Parsing Library, which started in May. When the findings in the report were sufficiently addressed, we completed the verification review and submitted our Final Audit Report.
- In September, we completed two audits on: the Zebra NU6 updates and the Zcashd NU6 updates.
- In October, we completed two audits on: the DCRDEX Zcash integration and the Lightwalletd infrastructure reviews, both of which we started in September.
Over the last few years, we’ve been expanding our ecosystem support to meet the needs of the different ecosystems with which we are working. Although our main offering is still Security Audits of codebases and specifications for projects, we also offer consultation sessions, and have now expanded into community engagement efforts. This approach works within a structured ecosystem program, such as an accelerator or grant program, with a set framework for the projects to acquire support from different sources.
Additionally, within ecosystems with a more active community, our engagement can be more dynamic and consist of regular open office hours, discussions on forums, as well as liaisons with other parties and organizations about opportunities for enhancing security. For these, we offer a flexible approach where the timeline and deliverables are dependent on the ecosystem’s current needs.
If you have questions or suggestions about our role in the Zcash ecosystem, you can contact us on the Zcash forums.
Connect with us to learn more about our support of other ecosystems by sending an email to consulting@leastauthority.com or scheduling a call to discuss our security consulting services and how we might be able to help you.