Venus v1.0 is Here! Security Audit for Venus Has Done

Venus recently completed a security audit and released an audit report by Least Authority. At the same time, the Venus team released a milestone version — venus v1.0.0, which will enable global storage providers (miners) and storage clients to store their valuable data on the largest distributed storage network-Filecoin.

Venus Milestone

Quick Review

  • venus v0.9.0: Venus returns to the mainnet and deploys the first node running with Venus.
  • venus v0.9.1: Support spec-actor v3 and Network v10, start Security Audit.
  • venus v0.9.4: Support Network v11, all components of Venus already support a complete distributed storage pool (mining pool) function.
  • venus v0.9.5: Support spec-actor v4 and Network v12, release distributed storage pool version 1.0.x, and support building a complete storage service (mining) system.
  • venus v0.9.6: Start the first Filecoin distributed storage pool on the mainnet, and continue to deploy more nodes by the community.
  • venus v0.9.7&venus v0.9.8: Support spec-actor v5 and Network v13.
  • venus v1.0.0: The security audit is completed and the audit report is announced.

The Venus team recently released a landmark version — venus v1.0.0. This version is the first official version after the security audit. We will continue to improve criterias the report suggested, and release updates on venus community and development in a timely manner in order to provide Filecoin storage providers with more convenient and effective solutions. In the meantime, we do welcome feedback and suggestions from storage providers and developers on some important functions. We will work together closely with the whole community to build the strong and resilient Venus implementation.

About Security Audit

The Venus team strictly revised the key issues in the use of the implementation based on the audit results. The most commonly used method for audit work is to adopt the method of ‘automatic analysis + manual verification’, which covers the correctness of the implementation process, the vulnerabilities in a single component and the secure interaction between modules, the implementation of private key management, storing assets surely, data privacy, API access security, any attacks related with funds, adversarial actions and the other review items.

Through research, investigation, review, reporting, and modification, this audit improved the security and efficiency of Venus implementation, such as chain synchronization, key security, API stability, and structural rationality. Venus team communicates with the auditor in a timely manner, locates and solves problems found in the report, and strives to fix major issues with our engineers . At the same time, some problems that do not affect the use will continue to be followed up and optimized.

The audit report pointed out that the current security audit scope is sufficient because it has included the entire implementation process, such as all security-critical components of the implementation. While the dependencies used by the Venus implementation were not in scope, the use of dependencies is mostly limited to standard libraries that are both well audited and maintained. For example, Venus makes use of the spec-actors dependency, which performs a core functionality of the implementation. While spec-actors was not in scope, it has recently undergone an independent security review too.

Look Ahead

Web 3.0 Infrastructure Service Provider