Herodotus smart contract audit by ChainSecurity

Herodotus Cairo Libs

Security Audit

Download Audit Report
Summary

The most critical subjects covered in our audit are functional correctness, data integrity and consistency, and security vulnerabilities. Amongst others, the following issues have been uncovered:

  1. Missing Length Validation in MPT Verify
  2. MMR: Incorrect Root Update Possible, Insufficient Peaks Validation
  3. Keccak Discards Leading Zero Bytes in Last Little Endian Words64

After the intermediate report all issues have been resolved.

The general subjects covered are usability, efficiency and robustness.

In summary, for its intended usage in herodotus-on-starknet we find that the codebase of CairoLib provides a good level of security. However, it’s worth noting that more thorough testing could have identified most of these issues early. Moreover, there is still room for enhancement in the testing processes.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.

About Herodotus Cairo Libs

CairoLib is a library primarily for Herodotus on Starknet implementing Ethereum related operations including Recursive Length Prefix (RLP) decoding, Keccak256 and Poseidon hash function wrappers, Merkle Patricia Trie (MPT) verification and Merkle Mountain Range (MMR) structures.

Herodotus is a powerful data access middleware that provides smart contracts with synchronous access to current and historical on-chain data across Ethereum layers.”

Source: https://docs.herodotus.dev/herodotus-docs/