RiB Newsletter #29
Welcome to the #29 edition of Rust in Blockchain, the monthly newsletter about Rust, distributed systems, cryptography, and other industry topics. Previous: #28.
With total value locked (TVL) measurements going up, up, up across the blockchain world, Ethereum extremely congested, and liquidity providers fleeing to blockchains with high yields and low fees, there are huge efforts on many chains to get dapps out fast and attract market share. In the Rust world some notable developments:
- NEAR launched an $800 million ecosystem fund and has been quietly climbing up the DeFi TVL charts.
- Secret Network can now bridge to multiple chains and its SecretSwap has enough liquidity that it will soon be a viable route for discreetly moving assets between the burgeoning multi-chain ecosystem.
- The Internet Computer (previously DFINITY) has been cranking out blog posts, both about technical matters and partnerships. They are running a developer grants program.
- Nervos has launched their Force Bridge to connect to Ethereum, and is working to add EVM compatibility.
- Polkadot has been running a high-profile auction for parachain slots on its canary network, Kusama, and will soon begin auctions for the main Polkadot network. Some of the Kusama parachains, notably Moonriver, are already up and running and attracting EVM-compatible dapps like Sushi.
- Solana has turned into a bit of a juggernaut, with huge financial backing, and TVL only behind Ethereum and Binance Smart Chain. It has been attracting dapps and protocols that were previously EVM-only, like Lido and RenVM; but it also has a strong stable of its own Solana-native dapps.
In RiB news, this month we’ve added a “Security Advisories” section, summarizing all the Rust security advisories of the month from RustSec, and GitHub Advisories. Seeing them all in one place is revealing: lots of security-relevant bugs in crates used in, or created by, the blockchain industry.
This month, upon prompting, we added a Zcash donation address, and immediately received 3 donations. Thanks to the Zcash twitter community! RiB donations are 100% earmarked for supporting developers through event sponsorships, etc. The donation addresses can be found on the sidebar of the website.
Thanks
Thanks to contributors: Adam Dossa, Awa Sun Yin, bbyleggo123, Dan Shields, KΞlchΞ⟠, Squirrel, Brian Anderson and Aimee Zhu. Thank you for your help!
RiB needs help to keep up with Rust blockchain projects. If you follow a particular project, or otherwise find information that is beneficial to the Rust & blockchain community, please contribute to the next issue by submitting a PR to the next draft.
Project Spotlight
Each month we like to shine a light on a notable Rust blockchain project. This month that project is…
Mina is a new blockchain network that uses zero-knowledge proofs to validate the state of the chain without access to a full blockchain, but instead only a tiny (~22k) proof. This should enable even mobile devices to participate in the network as full validators, requiring less trust than today’s situation where most clients are connecting to other peoples’ full nodes hosted in the cloud. They are calling this style of chain a “succinct blockchain”, and have caught the attention of a number of other projects, forming partnerships to bring the idea to other chains.
mina-rs is an implementation of Mina in Rust, developed by ChainSafe. It is developed not only with mobile environments in mind, but WASM too, which suggests we’ll be able to embed a full node directly in the browser.
Some recent information about Mina / mina-rs:
- Rising Tides: How the Mina Protocol can benefit Web 3.0
- Mina: Decentralized Cryptocurrency at Scale (whitepaper)
- 22kB-Sized Blockchain — A Technical Reference
- Mina Product Priorities & Mina Foundation Mission
Interesting Things
Blog Posts
- Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale
- Anatomy of a STARK
- FROST: Flexible Round-Optimized Schnorr Threshold Signatures
- Sharding
- Counter-Strike: Threshold Attack
- A Guide to AppliedZKP zkEVM Circuit Code
Papers
- Plumo: An Ultralight Blockchain Client
- Encryption to the Future: A Paradigm for Sending Secret Messages to Future (Anonymous) Committees
- On the security of ECDSA with additive key derivation and presignatures
- How to Prove Schnorr Assuming Schnorr: Security of Multi- and Threshold Signatures
Projects
- Shade Protocol is an array of connected privacy-preserving dApps built on Secret Network.
Security Advisories
Monthly security advisories, from RustSec, and GitHub Advisories. Bold entries here are especially relevant to blockchain projects.
- RUSTSEC-2021-0120: Unsoundness in abomonation. abomonation transmutes &T to and from &[u8] without sufficient constraints.
- RUSTSEC-2021-0121: Unsoundness in crypto2. Non-aligned u32 read in Chacha20 encryption and decryption.
- CVE-2021-20319: coreos installer improperly verifies GPG signature when decompressing gzipped artifact. coreos-installer fails to correctly verify GPG signatures when decompressing gzip-compressed artifacts. This allows bypass of signature verification in cases where coreos-installer decompresses a downloaded OS image, allowing an attacker who can modify the OS image to compromise a newly-installed system.
- CVE-2020-26281: Async-h1 request smuggling possible with long unread bodies. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications.
- CVE-2021-41138: Validity check missing in Frontier. In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of this to put invalid transactions into a block.
- CVE-2021-41149: Improper sanitization of target names. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.
- CVE-2021-41150: Improper sanitization of delegated role names. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system.
- CVE-2021-41153: Specification non-compliance in JUMPI. In evm crate < 0.31.0, JUMPI opcode’s condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check.
- GHSA-v935-pqmr-g8v9: Unexpected panics in num-bigint. Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.
Most Active in October
Parity: 291 merged PRs (1, 2, 3, 4, 5), 105 closed issues (1, 2, 3, 4, 5), 112 open issues (1, 2, 3, 4, 5, 6)
Solana: 275 merged PRs (1, 2), 42 closed issues (1, 2), 68 open issues (1, 2)
Diem: 183 merged PRs (1), 14 closed issues (1), 24 open issues (1)
Project Updates
Aleo
119 merged PRs (1, 2, 3, 4), 35 closed issues (1, 2, 3, 4), 29 open issues (1, 2, 3, 4)
Anoma
52 merged PRs (1), 20 closed issues (1, 2), 16 open issues (1)
ChainSafe
29 merged PRs (1, 2), 25 closed issues (1, 2), 15 open issues (1, 2)
- Mina-rs Update: Some Rust serialization tricks with Serde
- ChainSafe launches Forest, the Rust Filecoin Client
- Gossamer: Into the Polkadot-verse Pt. 3
COMIT
21 merged PRs (1), 11 closed issues (1), 6 open issues (1)
Concordium
21 merged PRs (1, 2, 3, 4), 4 closed issues (1), 8 open issues (1, 2, 3)
Conflux
2 merged PRs (1), 2 closed issues (1), 0 open issues
Dfinity
25 merged PRs (1, 2, 3, 4, 5), 4 closed issues (1, 2), 8 open issues (1, 2, 3, 4)
- Optimizing the Internet Computer Memory System’s Performance
- Secure Scalability: The Internet Computer’s Peer-to-Peer Layer
- Resumption: How Internet Computer Nodes Quickly Catch Up to the Blockchain’s Latest State
Diem
183 merged PRs (1), 14 closed issues (1), 24 open issues (1)
Elrond
48 merged PRs (1), 1 closed issues (1), 3 open issues (1)
Fluence
22 merged PRs (1, 2, 3, 4), 8 closed issues (1, 2, 3), 22 open issues (1, 2, 3)
Golem
26 merged PRs (1), 20 closed issues (1), 13 open issues (1)
Holochain
77 merged PRs (1, 2, 3), 2 closed issues (1), 4 open issues (1)
IOTA
17 merged PRs (1), 3 closed issues (1), 3 open issues (1)
Lighthouse
19 merged PRs (1, 2), 21 closed issues (1), 15 open issues (1)
MobileCoin
38 merged PRs (1), 2 closed issues (1), 3 open issues (1)
NEAR
133 merged PRs (1, 2, 3), 56 closed issues (1, 2, 3), 43 open issues (1, 2, 3, 4)
Nervos
77 merged PRs (1, 2, 3, 4), 4 closed issues (1, 2, 3), 3 open issues (1, 2)
Parity
291 merged PRs (1, 2, 3, 4, 5), 105 closed issues (1, 2, 3, 4, 5), 112 open issues (1, 2, 3, 4, 5, 6)
- Polkadot Is Ready for Parachain Launch, Auction Dates Proposed
- Polkadot Hackathons Are Going Global, Starting in Asia Pacific
Rust Bitcoin
27 merged PRs (1, 2, 3), 6 closed issues (1, 2), 17 open issues (1, 2)
Rust Ethereum
2 merged PRs (1), 0 closed issues, 1 open issues (1)
Secret Network
4 merged PRs (1, 2), 0 closed issues, 2 open issues (1)
- Secret Feature: Shade Protocol & Silk
- Altermail is LIVE on Mainnet!
- Secret Feature: SiennaSwap Launches on Mainnet!
Solana
275 merged PRs (1, 2), 42 closed issues (1, 2), 68 open issues (1, 2)
Spacemesh
7 merged PRs (1), 23 closed issues (1, 2), 29 open issues (1, 2)
TezEdge
18 merged PRs (1), 2 closed issues (1), 0 open issues
Zcash
108 merged PRs (1, 2, 3), 65 closed issues (1, 2, 3), 30 open issues (1, 2, 3)
zkSync
0 merged PRs, 1 closed issues (1), 4 open issues (1)
Events
Nov 11 - Dec 8 | Online
Nov 15-19 | Online
Nov 18-19 | Online
Tokenomics 2021: 3rd International Conference on Blockchain Economics, Security and Protocols
Dec 1-3 | Seoul, Korea
ICISC: The 24th Annual International Conference on information Security and Cryptology
Dec 14-15 | Online
18th IMA International Conference on Cryptography and Coding
Jan 24-26, 2022 | Arrillaga Alumni Center, Stanford University
SBC'22: The Science of Blockchain Conference 2022
Feb 14-18, 2022 | Canada
Financial Cryptography and Data Security 2022
Careers
Anoma | Berlin, Remote
- Senior Rust Engineer
- Rust P2P Networking Engineer
- Technical Engineering Manager
- Zero-Knowledge Cryptographer & Protocol Developer
- Distributed Systems Research Engineer
Aurora | Remote
NEAR | Remote
More jobs can be found at Job Board.
Want to be included in the next issue? Feel free to submit a PR to the #30 draft.
Join the discussion on RiB telegram group ❤️