Spearbit x Alluvial Q&A with Spencer Macdonald
Spearbit's security researchers recently completed an audit of Liquid Collective's Ethereum smart contracts. We asked Spencer Macdonald about Spearbit's decentralized community model, the audit process, and why collaborating with independent security experts matters.
Hi Spencer, please tell us about your background. How did Spearbit start?
Spearbit's founding culture is a unique mix of technical experts from the Ethereum Foundation and web2 cybersecurity organizations. We have five cofounders, all from mutually complementary backgrounds. I'm a product manager by trade. My last PM role was leading developer security at a government cloud organization and I got started with the Ethereum community back in 2016 in Santa Cruz, CA.
Jake Lang previously worked on the Ethereum Foundation's ewasm team, and then worked at a web2 cybersecurity startup, Coder. Alex Beregszaszi co-led the development of the Solidity language for seven years at the Ethereum Foundation and is a founder of multiple startups. Harikrishnan Mulackal was a compiler engineer at the Ethereum Foundation and is widely recognized as one of the best gas optimizers in crypto. Jake Lynch is a venture capitalist at L1Digital and was formerly a cryptoasset analyst at DefiPulse and ConcourseQ.
The five Spearbit co-founders joined forces in order to bring a better solution for crypto security engagements. Traditionally, crypto security audits were subject to long wait times given the low supply of centralized firms that conducted these audits and high demand from projects needing an audit. Instead, Spearbit sources top talent from everywhere in the web3 ecosystem to assemble the best possible team for the client. From this talented community that started around security audits, we're also building out other products and services to help our clients mitigate security risk.
How would you describe your decentralized expertise model? What are the four levels of security researchers in the Spearbit community?
Our model recognizes that we need to grow the pie of crypto cybersecurity by pairing experts with early-mid career crypto security professionals. We have four levels of security researchers on our audits, starting with Lead Security Researchers (LSRs), who are senior personnel with more than four years of experience in web3 security, InfoSec, IT and / or solid web3 background. LSRs are widely recognized as experts in the Ethereum security ecosystem. We then have Security Researchers (SRs), Associate Security Researchers (ASRs), and Junior Security Researchers (JSRs), with a scaling level of expertise. LSRs lead the team and mentor the other levels of researchers in our community. The goal is for someone to start off in our community as a Junior Security Researcher and then progress up the ranks, concluding with a promotion to LSR, with the cycle repeating as they mentor new juniors.
Why is mentoring security researchers an important part of Spearbit's approach?
The supply of security researchers in the overall crypto ecosystem is simply too small to sustain this industry with the massive amounts of economic value transacted on a daily basis. Web2 went through a similar phase in the past, with the creation of cybersecurity curriculum and upskilling programs, and Spearbit is part of a similar movement in web3 to upskill and generate the next generation of cybersecurity personnel.
How else do you cultivate and maintain a decentralized Spearbit security researcher community?
Spearbit's community of Security Researchers take their time assessing the threat model, dependencies, and interactions of your code to get into the mind of a hacker. They are able to do so from anywhere. We have researchers located in nearly every continent in the world. We do our best to bring these folks together to address our clients' needs when it comes to security. By hosting seminars, working group sessions, and even regular online happy hours, we are able to keep this connection strong within the community.
How would you describe the audit process with Alluvial? What are the phases and what did the audit entail?
The engagement followed Spearbit's standard collaborative audit process. The client has full access to the Spearbit Github repository containing the code in scope, a communications channel with the audit team, and an extra private communications channel with the core team. Auditors also have their own internal communication channel to share ideas with each other.
We do our best to assemble the most efficient team of auditors for the engagement at hand. In order to assure a high quality audit we source at least two professional Lead Security Researchers, prioritize Security Researchers with specific domain knowledge, and involve Junior Security Researchers who have proven their interest and passion for web3 security.
In relation to the audit, it started with a kickoff meeting introducing all members participating in the engagement. Afterwards, Alluvial walked auditors through the codebase highlighting its most important aspects and where attention was needed. This step was crucial because it gave auditors the opportunity to ask questions and build an understanding about the code base while providing the Alluvial team with the chance to voice their concerns regarding potential vulnerabilities, exploits, and explain the potential attack surface.
The code in scope was imported into Spearbit's client-specific audit repository, and during the review phase auditors left comments on Github PRs for the Alluvial and Kiln teams to address and react to. After receiving a satisfactory reply from Alluvial and Kiln that addressed the feedback, auditors either turned those comments into issues or notated them for the final report. Beyond the focus areas the Alluvial team identified, the Spearbit audit team conducted a thorough review of the entire in-scope codebase.
After several iterations, back and forth communication with the Alluvial and Kiln teams, and internal discussions, issues were formalized and labeled according to Spearbit's risk-severity matrix. The most critical and relevant issues were presented to the Alluvial and Kiln teams during the closeout meeting.
Spearbit offers a two week bug fix review period as a professional courtesy, where auditors are available on a stand-by basis to check on client fixes. During this time, auditors reviewed PRs, responded to comments, and addressed Alluvial's concerns.
The Alluvial and Kiln teams addressed all issues while maintaining constant communication with the Spearbit audit team, by either linking the PR corresponding to a fix of the issue in question or explaining why such issue would not be fixed.
And last but not least, a report was compiled and delivered to the Alluvial team.
From a user's perspective, what's the significance of a project like Liquid Collective completing an audit successfully with independent security researchers?
Users that put their ETH into LsETH want to know that the underlying smart contract is secure so they will be able to withdraw their ETH if they so choose [after withdrawals are enabled on Ethereum]. There are numerous risks associated with any liquid staking protocol, one being the validator nodes are compromised resulting in a slashing event; not many people in the world know how to run validators at scale. The Liquid Collective validators are experienced node operators that implement standard security best practices for cloud infrastructure and key management. There's also the possibility that private keys could be compromised, which we have seen as a common attack vector in recent hacks, so the Spearbit team reiterated this focus by bringing in a key management consultant to the audit.
Under the hood we noticed that the codebase was relatively well documented as many files were just getters and setters. Most of the complexity seemed to be with the Oracle configuration, in the manager components and the libraries in assembly. Our audit addressed this complexity and gave actionable feedback to the Alluvial team.
End users should care about quality security audits because they demonstrate that a project team is willing to expose protocol security assumptions to an objective third party. Furthermore, users should push project teams to adopt a holistic security approach: not just audits but monitoring, logging, bug bounty programs, and incident response plans all need to be implemented post-launch. We're confident based on our interactions with the Alluvial team that they take a holistic approach to security.
How do you view engagement with teams after an audit is complete? What are the ideal outcomes longer term?
We have a two week period where our audit team and clients work together to mitigate any potential vulnerabilities identified in the audit phase and validate the correctness of proposed code fixes. The goal of the fix period is to provide transparency to the project's internal and external stakeholders that domains of likely security risk have been acknowledged and mitigated by the project team. After the fix phase has concluded, we produce an audit report for clients that are publicly released for the benefit of a project's community. The target audience for audit reports are technically oriented users to provide data on the internal secure software development process, and allow users to make an informed decision on whether to use the product.
Spearbit's mission is to secure the client's entire software development lifecycle, from the design and architecture phase of a project to helping clients monitor suspicious activity post-launch. Software is never done, and audits are a snapshot of the codebase at a particular moment in time. Code changes due to business and technical iterations, and security needs to integrate with these iterations. Spearbit's ideal outcome long term is to continue to work with clients at every step of new feature release, and we accomplish this through retainer engagements.
What are Spearbit's values? Why is it important to share values with companies and projects you work with?
We have a set of values that intersect with Alluvial's values, particularly around security and empowerment of individuals via crypto. Specifically, our values are: Clients and users deserve excellence, Empower our global security researcher community, Align security and dev teams, and End to end security focus.
Our alignment with Alluvial on security focus is self-evident. From day one, Alluvial emphasized the necessity of security to build an enterprise-grade liquid staking protocol. From how the validators have redundant security compliance measures, to the rigorous smart contract testing the Alluvial and Kiln teams conduct, we were impressed with the professionalism of not just Alluvial but of the entire Collective.
Another aspect of cultural alignment between Alluvial and Spearbit is the mutual focus on empowering individuals and organizations with crypto. Spearbit uses USDC and Gnosis Safe for payments to our auditor network, which allows our community to transparently see the take rates for a given audit. We pride ourselves on the transparency and coordination that crypto offers. Similarly, Alluvial empowers institutions to participate in securing the Ethereum network, which is an equally important aspect of empowerment. We need both individuals and institutions to interact to build a sustainable crypto ecosystem.
Why were you interested in working with Alluvial to audit Liquid Collective's Ethereum smart contracts?
We see an emerging trend of institutional investors becoming bigger participants in DeFI. Liquid Collective is one of those protocols that allows institutions to onboard and feel comfortable interacting with the underlying technology as the protocol takes steps to ensure the validators are compliant with processes that institutions require.
Liquid Collective is also important for the continued decentralization of Ethereum staking and PoS. Having a secure and reliable alternative to Lido is important for the ecosystem. Spearbit and Liquid Collective are aligned in securing a decentralized future for all crypto users!