The most critical subjects covered in our audit are functional correctness, data integrity and consistency, and security vulnerabilities. Amongst others, the following issues have been uncovered:
- Missing Length Validation in MPT Verify
- MMR: Incorrect Root Update Possible, Insufficient Peaks Validation
- Keccak Discards Leading Zero Bytes in Last Little Endian Words64
After the intermediate report all issues have been resolved.
The general subjects covered are usability, efficiency and robustness.
In summary, for its intended usage in herodotus-on-starknet we find that the codebase of CairoLib provides a good level of security. However, it’s worth noting that more thorough testing could have identified most of these issues early. Moreover, there is still room for enhancement in the testing processes.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.