Teku
Summary
Quantstamp has reviewed the Teku ETH 2.0 client implementation. The audit has revealed several issues of various severity within the code, although all issues have since been acknowledged, fixed, or mitigated. The code of the client is well-written and easy to follow, although it could be further improved to follow all best practices in some places. In addition to the available ETH 2.0 specifications, the code has some in-line documentation and external documentation to assist with future development and other contributors. Many issues arose likely due to the size of the codebase, and no deviations from the ETH 2.0 specification were found, though this was not always perfectly clear. Most packages within the repositories include tests. Coverage was not computed for the system as a whole - rather, it was pieced together from running coverage on each package and putting them together (however this is done using the provided packages); as a result, it may not be fully accurate. Additionally, the reader should note that the audit was conducted under the assumption that the execution environment (JVM) is trusted. This is a very sensible requirement, but it needs to be understood that as the JVM resides on the machine, an unauthorized attacker could replace it with a malicious implementation and completely change the semantics of the Java code being executed. Similarly, through unauthorized access to compiled Teku jar packages, an attacker could inject malicious classes and code into the package itself. It is imperative that all parties operating Teku ensure that their environment is private and does not provide access to untrusted parties. Finally, note that no file hashes appear in this report; refer to the commit for each repository for a signature of files audited in this report.
