RiB Newsletter #42

Welcome to the #42 edition of Rust in Blockchain, the monthly newsletter about Rust, distributed systems, cryptography, and other industry topics. Previous: #41.

It was a bonanza of a month for blockchain Rust, with many new projects appearing and blogging about their work, including a new HotStuff derivative, HotShot, a new Ethereum light client, Helios, a new Ethereum full node implementation, reth, a new ZKVM, OlaVM, and a Rust SDK for Avalanche. We also heard more about the Plonky2 zero-knowledge prover.

In recent months we’ve noticed a steady trickle of security advisories relevant to Rust blockchains, with new advisories this month for wasmtime and libp2p. We hope everybody is running cargo-audit regularly, but note that cargo-audit references only the RustSec advisory database, and some vulnerabilities reported to the GitHub advisory database are not in the RustSec advisory database. Neither the wasmtime nor libp2p advisories published this month are currently in the RustSec database.

In other security news, Secret Network’s trusted execution environment was completely compromised. Fortunately it was done by whitehat researchers, but it’s more bad news about SGX and secure enclaves.

 

Thanks

Thanks to contributors: Dominic Wörner, Hunter Trujillo, Tko, Brian Anderson, and Aimee Zhu. Thank you for your help!

RiB needs help to keep up with Rust blockchain projects. If you follow a particular project, or otherwise find information that is beneficial to the Rust & blockchain community, please contribute to the next issue by submitting a PR to the next draft.

 

Project Spotlight

Each month we like to shine a light on a notable Rust blockchain project. This month that project is…

avalanche-types.

The behavior of Avalanche subnets is defined by customized VMs, which communicate with the Avalanche node over RPC. Avalanche VMs are typically written in Go. This is an official SDK for developing Avalanche VMs in Rust.

It was announced recently in a blog, Rust VM SDK: Build Custom Virtual Machines on Avalanche using Rust, and there is documentation available: How to Build a Simple Rust VM.

There are two example VMs using the SDK:

• timestampvm-rs
• spacesvm-rs

 

Interesting Things

News

• SGX attacks

Blog Posts

• Minority Corruption Resilience in Byzantine Generals With Unknown and Fluctuating Participation
• The Latest View on View Synchronization
• Leader Election from Randomness Beacons and Other Strategies
• Upgradable Smart Contracts: What They Are and How To Deploy Your Own
• Designing Secure Access Control For Smart Contracts
• Specialized Zero-Knowledge Proof failures
• Unique Pseudonymity on Ethereum: Verifiably Deterministic Signatures on ECDSA
• Decentralization of ZK Rollups
• Constructing ZK SNARK Circuits
• How to transform code into arithmetic circuits
• CESC ‘22: Field Notes from the Zero Knowledge Workshop
• Theory of Cryptography Conference ‘22: Field Notes
• Parse, don’t validate — correctness in smart contract development
• Plonky2: A deep dive. More about the zero-knowledge prover from Mir protocol.
• DLC on Lightning. A description of the first discreet log contract on the Lightning network, written with rust-dlc.
• These two recent posts provide a good overview of the ecosystems building on Bitcoin, some of which are developed in Rust:
  • Building on Bitcoin: a Comparison of Bitcoin Projects
  • A Guide to Web3 Programming Languages for Bitcoin Apps

Papers

• Folding Schemes with Selective Verification
• Practical Settlement Bounds for Longest-Chain Consensus
• An Auditable Confidentiality Protocol for Blockchain Transactions
• Linear-map Vector Commitments and their Practical Applications
• Ligero: Lightweight Sublinear Arguments Without a Trusted Setup
• Extensible Decentralized Secret Sharing and Application to Schnorr Signatures
• Vortex: Building a Lattice-based SNARK scheme with Transparent Setup

Projects

• HotShot. A BFT consensus protocol based off of HotStuff, with the addition of proof-of-stake and VRF committee elections. Blog post: Espresso HotShot: Consensus Designed for Rollups.
• Helios. A fast, secure, and portable light client for Ethereum. Blog post: Building Helios: Fully trustless access to Ethereum.
• decaf377. A prime-order group designed for use in SNARKs over BLS12-377. Blog post: Introducing Poseidon377, our instantiation of a SNARK-friendly hash.
• miniSTARK. GPU accelerated STARK prover and verifier.
• Nova-Scotia. Middleware to compile Circom circuits to Nova prover.
• OlaVM. A new ZKVM. Blog post: Hello, OlaVM!
• reth. A new Ethereum full node implementation in Rust. Blog post: Introducing Reth.
• Shinobi. A private bridge from Bitcoin to Secret Network.

 

Security Advisories

Monthly security advisories, from RustSec, and GitHub Advisories. Bold entries here are especially relevant to blockchain projects.

• RUSTSEC-2022-0067: lzf - Unsoundness
• RUSTSEC-2021-0145: atty - Unsoundness
• RUSTSEC-2022-0068: capnp - Vulnerability
• RUSTSEC-2022-0069: hyper-staticfile - Vulnerability
• RUSTSEC-2022-0070: secp256k1 - Unsoundness. Related to usage of Secp256k1::preallocated_gen_new.
• GHSA-9mfc-chwf-7whf: ckb - Large dep group requires a lot of resources to process but the cost to commit the transaction is very low
• GHSA-7fw6-6mfj-g3q2: ckb - Transaction header_deps validation issue (network forking)
• GHSA-mcmr-49x3-4jqm: ckb - type_id script resume may randomly fail
• CVE-2022-41874: tauri - Tauri Filesystem Scope can be Partially Bypassed
• CVE-2022-39392: wasmtime - out of bounds read/write with zero-memory-pages configuration
• CVE-2022-39393: wasmtime - may have data leakage between instances in the pooling allocator
• CVE-2022-39397: alyun-oss-client - Leakage Aliyun KeySecret
• CVE-2022-23486: libp2p - DoS vulnerability from lack of resource management

 

Most Active in November

Parity: 439 merged PRs, 186 closed issues, 124 open issues

Sui: 395 merged PRs, 160 closed issues, 170 open issues

Solana: 264 merged PRs, 53 closed issues, 31 open issues

Fuel: 247 merged PRs, 165 closed issues, 137 open issues

Filecoin: 224 merged PRs, 131 closed issues, 92 open issues

 

Project Updates

Aleo

114 merged PRs (1, 2, 3, 4), 30 closed issues (1, 2, 3), 17 open issues (1, 2, 3)

• Introducing Provers in Aleo Testnet 3
• Testnet 3 Incentives Kickoff

Anoma

84 merged PRs (1, 2, 3, 4), 33 closed issues (1, 2, 3), 32 open issues (1, 2, 3)

Aptos

213 merged PRs (1), 132 closed issues (1), 62 open issues (1)

Casper

59 merged PRs (1, 2), 72 closed issues (1, 2), 19 open issues (1, 2)

COMIT

7 merged PRs (1), 2 closed issues (1), 3 open issues (1)

Concordium

65 merged PRs (1, 2, 3, 4, 5, 6, 7), 33 closed issues (1, 2, 3, 4), 11 open issues (1, 2)

Conflux

9 merged PRs (1), 1 closed issues (1), 1 open issues (1)

DarkFi

4 merged PRs (1), 3 closed issues (1), 0 open issues

Dfinity

59 merged PRs (1, 2, 3, 4, 5), 7 closed issues (1, 2), 6 open issues (1, 2, 3, 4)

• How to Migrate Canister Smart Contracts from Motoko to Rust

Dusk Network

9 merged PRs (1, 2), 7 closed issues (1, 2, 3), 4 open issues (1, 2)

• Testnet DayLight | Release Cycle Update #12

Elrond

95 merged PRs (1, 2, 3, 4), 8 closed issues (1), 0 open issues

Espresso Systems

55 merged PRs (1, 2, 3, 4, 5, 6, 7), 92 closed issues (1, 2, 3, 4, 5), 79 open issues (1, 2, 3, 4, 5, 6, 7, 8)

• Espresso HotShot: Consensus Designed for Rollups
• Decentralizing Rollups: Announcing the Espresso Sequencer
• Releasing Espresso Testnet 1: Americano

Filecoin

224 merged PRs (1, 2, 3, 4, 5, 6, 7), 131 closed issues (1, 2, 3, 4, 5, 6, 7, 8), 92 open issues (1, 2, 3, 4, 5, 6)

• The Filecoin Spacenet goes live
• Filecoin Network v17 Shark Upgrade
• Paper: Temporary Block Withholding Attacks on Filecoin’s Expected Consensus

Findora

67 merged PRs (1, 2, 3, 4), 1 closed issues (1), 1 open issues (1)

• Postmortem Report | Nov 15, 2022

Fluence

49 merged PRs (1, 2, 3, 4, 5, 6), 1 closed issues (1), 1 open issues (1)

Fuel

247 merged PRs (1, 2, 3, 4, 5, 6, 7, 8, 9, 10), 165 closed issues (1, 2, 3, 4, 5, 6, 7, 8), 137 open issues (1, 2, 3, 4, 5, 6, 7, 8, 9, 10)

• The Fuel Virtual Machine Architecture
• Exploring the FuelVM

Golem

40 merged PRs (1, 2, 3, 4, 5), 48 closed issues (1, 2, 3, 4), 29 open issues (1, 2, 3, 4, 5)

Helium

9 merged PRs (1, 2, 3, 4), 6 closed issues (1, 2), 0 open issues

Holochain

24 merged PRs (1, 2), 8 closed issues (1), 11 open issues (1, 2)

• Hackathon, Tool Upgrades, hREA
• Holochain Beta Approaching

IOTA

141 merged PRs (1, 2, 3, 4, 5, 6), 49 closed issues (1, 2, 3, 4, 5), 32 open issues (1, 2, 3, 4)

Maidsafe

80 merged PRs (1, 2, 3, 4, 5), 3 closed issues (1, 2), 14 open issues (1)

MobileCoin

44 merged PRs (1), 8 closed issues (1), 11 open issues (1)

NEAR

161 merged PRs (1, 2, 3, 4, 5, 6), 41 closed issues (1, 2, 3, 4, 5, 6, 7, 8), 37 open issues (1, 2, 3, 4, 5, 6)

• Auditing Projects on the NEAR Blockchain: From Zero to Hero

Nervos

87 merged PRs (1, 2, 3, 4, 5, 6, 7, 8), 14 closed issues (1, 2, 3, 4, 5), 10 open issues (1, 2)

• CKB Soft Fork process & Light Client Soft Fork

Oasis

9 merged PRs (1), 3 closed issues (1), 0 open issues

Parity

439 merged PRs (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15), 186 closed issues (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13), 124 open issues (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)

Radix

51 merged PRs (1, 2, 3), 0 closed issues, 4 open issues (1)

Secret Network

20 merged PRs (1, 2, 3), 2 closed issues (1, 2), 0 open issues

• Notice: Successful Resolution of xAPIC Vulnerability on Secret Network. Secret Network’s TEE was completely compromised. More at the researcher’s site.

Solana

264 merged PRs (1, 2, 3), 53 closed issues (1, 2), 31 open issues (1, 2)

• Neon Synthetic Load Test Report
• Neon EVM Set to Go Live on Mainnet

Subspace Labs

61 merged PRs (1), 16 closed issues (1), 8 open issues (1)

Sui

395 merged PRs (1), 160 closed issues (1), 170 open issues (1)

• Cryptography in Sui: Agility
• Cryptography in Sui
• Building the Capy Prototype on Sui

Zcash

93 merged PRs (1, 2, 3, 4), 46 closed issues (1, 2, 3), 42 open issues (1, 2, 3)

 

Rust in Bitcoin

For discussion join the Rust in Bitcoin Telegram group.

AluVM

3 merged PRs (1), 1 closed issues (1), 2 open issues (1)

BDK

28 merged PRs (1, 2, 3, 4), 36 closed issues (1, 2, 3), 21 open issues (1, 2, 3)

BitMask

10 merged PRs (1), 2 closed issues (1), 4 open issues (1)

Cyphernet

4 merged PRs (1, 2), 0 closed issues, 0 open issues

Electrs

7 merged PRs (1), 11 closed issues (1), 4 open issues (1)

Fedimint

84 merged PRs (1), 29 closed issues (1), 15 open issues (1)

LDK

45 merged PRs (1, 2), 17 closed issues (1, 2), 16 open issues (1, 2)

LNP/BP

22 merged PRs (1, 2, 3, 4, 5, 6), 25 closed issues (1, 2, 3, 4), 33 open issues (1, 2, 3, 4, 5, 6)

LNP WG

1 merged PRs (1), 1 closed issues (1), 1 open issues (1)

Nakamoto

4 merged PRs (1), 0 closed issues, 0 open issues

RGB

6 merged PRs (1, 2, 3), 25 closed issues (1, 2, 3), 6 open issues (1, 2, 3)

• Contractum. A new smart contract language for RGB.

Rust Bitcoin

68 merged PRs (1, 2, 3, 4, 5), 40 closed issues (1, 2, 3, 4, 5, 6), 25 open issues (1, 2, 3, 4, 5)

Rust Simplicity

2 merged PRs (1), 1 closed issues (1), 0 open issues

Sapio

1 merged PRs (1), 0 closed issues, 0 open issues

Talaia

12 merged PRs (1), 6 closed issues (1), 3 open issues (1)

If we’ve missed any other notable Rust Bitcoin projects or ecosystems, feel free to contribute!

 

Rust in Ethereum

Ethers-rs

51 merged PRs (1), 26 closed issues (1), 11 open issues (1)

Foundry

86 merged PRs (1), 59 closed issues (1), 58 open issues (1)

Lighthouse

20 merged PRs (1, 2), 15 closed issues (1), 29 open issues (1, 2)

• Optimising Attestation Packing
• Lighthouse Update #41

Rust Ethereum

7 merged PRs (1), 0 closed issues, 1 open issues (1)

zkSync

2 merged PRs (1), 3 closed issues (1), 1 open issues (1)

If we’ve missed any other notable Rust Ethereum projects or ecosystems, feel free to contribute!

 

Events

Dec 15 | Online

Secret Summit 2022

Feb 24 — Mar 5, 2023 | Denver, USA

ETHDenver 2023

 

Careers

Jobs can be found at Job Board.

 

Want to be included in the next issue? Feel free to submit a PR to the next draft.

Join the discussion on RiB telegram group ❤️