In September 2017, Augur engaged Coinspect to perform a security audit of the Solidity Compiler. The objective of the audit was to evaluate the security of the compiler. Sergio Lerner lead the audit, and has delivered a thorough report of the codebase.
The full report can be found here, and summary of the audit and issues can be found next.
Assessment
During the assessment, Coinspect identified 0 high-risk issues, 0 medium-risk issues, and 10 low-risk issues. The issues identified during the assessment do not lead to the compilation of vulnerable code. Some of the low-risk issues were communicated to the Solidity team and fixed in newer releases, while some other issues remain unfixed.
Development teams of products which one or more of these issues may effect were notified on Friday, December 8th, 2017.
The audited project can be found in the ethereum/solidity Github repository.
Introduction
A white box security audit was conducted on the Solidity Compiler in order to detect detect compiler flaws that can result in:
- Reduction of the security of the deployed contracts.
- Result in non-deterministic behavior.
- Malicious code execution or crashes when parsing specially crafted Solidity source code.
- Resource exhaustion during compilation, either CPU, memory or disk.
- Compiled code that consumes a non-constant amount of gas (e.g. depending on arguments), where the programmer would have expected constant cost.
- Facilitating underhanded code (trojans in open code).
Also common application security vulnerabilities were searched, including:
- Input validation.
- Denial of service prevention.
- Brute-forcing prevention.
- Information disclosure.
- Memory corruption vulnerabilities: buffer overflows, user supplied format strings.
- Integer overflows.
- Pointer management vulnerabilities: Double-free, use-after-free.
The audit was completed on October 2017, but the the report was completed on November 2017. This reports includes all the results from the audit.
Findings [LOW]
SOL-001 — O(n2) compiler output blow-up by forced warnings/errors.
SOL-002 — O(n3) compiler output blow-up by function name duplicates.
SOL-003— RAM blow-up by constants cycles.
SOL-004 — RAM blow-up by exponential steps in constant cycle findings.
SOL-005 — Unbounded gas cost when deleting dynamically sized arrays.
SOL-006 — Duplicated super-constructor calls not reported.
SOL-007 — Error-prone Multi-Assignment with empty LValues.
SOL-008 — CPU blow-up using huge bignums literals.
SOL-009 — Output messages size blow-up using huge bignums literals.
SOL-010 — Easy underhanded code using false overrides.
Full Report
The full audit report can be seen here: Solidity Compiler Audit Report.
Please reach out to team@augur.net with any questions, or join the #dev chat in our Discord channel.
