Aleo completes security audits of snarkOS & snarkVM
As Aleo approaches mainnet, it’s vital to assess the security and integrity of our codebase. We engaged three independent security research firms — Trail of Bits, NCC Group, and zkSecurity — to audit snarkOS and snarkVM, the backbone of the Aleo Network.
Over 18 weeks, auditors reviewed the security of Aleo’s snarkOS and snarkVM components:
snarkOS: Each firm reviewed snarkOS, focusing on the Bullshark BFT implementation, inter-node communication, and resistance to Denial of Service (DoS).
snarkVM: Each firm reviewed snarkVM, focusing on the synthesizer and ledger implementation, with an eye towards alignment to the “Aleo Protocol Specification,” alignment with the formal Aleo grammar, data serialization and deserialization, and transaction and block verification functions.
Trail of Bits
Trail of Bits specializes in software testing, code review projects, and blockchain security. They combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.
The Trail of Bits team used static analysis tools in the snarkOS and snarkVM codebases to identify areas of code with code quality issues and to obtain a test coverage report. Additionally, they used Semgrep and Dylint to find and confirm variants of manually found API misuses.
Their testing efforts focused on ensuring the robustness of interfaces handling unvalidated data and finding discrepancies between specifications and implementation. The team had full access to the source code and documentation, enabling them to perform static and dynamic testing of the codebase using automated and manual processes.
Audit findings
Read the full Trail of Bits report
Trail of Bits found that the Aleo codebase is generally very robust to malicious or malformed data and correctly validates its data structures. All of their data validation findings are of informational severity, except for the low-severity findings, which could enable denial-of-service (DoS) attacks due to missing data validation when decentralizing some data structures.
However, Trail of Bits identified an important function in the consensus algorithm that almost always returns false due to a typo in the implementation. Lastly, the team found a medium severity issue related to the use of unpinned GitHub actions.
Audit resolution
Aleo responded by resolving the 31 issues quickly to ensure the safety and security of our Network. The issues we resolved:
Denial of service vectors in FromBytes implementations
2. Faulty validation enables more than the intended number of inputs on finalize commands
3. Parsing Differences between the aleo.abnf grammar and the implementation
4. Function, Closure, and Finalize deserialization routines allow large memory allocations
5. Unvalidated destination type for Commit instructions
6. Unnecessary overflow checks
7. Missing upper bound validation with MAX_STRUCT_ENTRIES
https://github.com/AleoHQ/snarkVM/commit/8ac0987523daca10bc5d4502d549fc5b65e3e70e
https://github.com/AleoHQ/snarkVM/commit/54c26e361a986fb6c1a941a8748a4384a5c1854e
8. Discrepancies between the matches_record function implementation and its documentation
9. The /testnet3/node/env API endpoint provides binary path and repository information
10. Peer maximum message limit is off-by-one
11. The peers request/response flow allows local IP with non-node port
12. The refresh_and_insert function may not return previously seen timestamp
13. Structure serialization does not declare the correct number of fields
14. Potential overflow in total finalize cost
15. The is_sequential function allows u64::MAX to 0 transitions
Won't fix, `previous` will not overflow based on usage
16. Requesting more peers may not use newly connected peers
Won't fix, no vulnerability, however, open to improvements in the future
17. Committee::new allows creating genesis committees with more than four members
Won't fix, `Committee::new` used for testing
18. GitHub CI actions versions are not pinned
Won't fix at this time, does not touch any unit tests
19. The committee sorting tests do not consider if the validator is open to staking
20. Impossible match case in authority verification routine
21. The BFT::is_linked function does not properly determine if two certificates are linked
22. Peer is not removed from connecting_peers when handshake timed out
23. Rest API allows any origin
24. Garbage collection does not collect the next_gc_round
25. Fee verification is off-by-one
26. Block reward potential truncation and overflow
27. Saturated adds and subtractions can cause inconsistencies
28. IndexSet::remove does not preserve the order of the IndexMap
Won't fix: Ordering does not matter
29. The batch certificate id calculation does not include the number of signatures in the preimage
Won't fix: BatchCertificate serialization has changed
30. Missing validations in block metadata and header validation functions
Nothing to fix.
- solutions root can be zero.
- `cumulative_weight`, `proof_targets`, and `last_coinbase_target` checks are done in BlockHeader
31. The order of the saturating_add and checked_sub operations matters
Won't fix: Method has been deprecated
NCC Group
NCC Group is a world-leading global provider of software resilience and business continuity solutions. The firm protects software customers from unforeseen technology disruption, ensuring their critical services are always available.
Aleo engaged NCC Group’s Cryptography Services team to conduct an implementation review of several components of snarkVM. NCC Group’s evaluation targeted the snarkVM repository at https://github.com/AleoHQ/snarkVM, on branch testnet3-audit-ncc, at commit 0b151b9.
The following components were in scope:
synthesizer: Responsible for translating higher-level code into circuits that are compatible with the underlying zk-SNARK proof system.
algorithms: Implementation and execution of the proof system and the primitives needed to support it.
ledger: Data structures and methods for storing and interacting with the Aleo blockchain.
NCC Group’s review was supplemented with the documentation at https://developer.aleo.org/ and the Documents DRAFT: Aleo Protocol Specification (August 11, 2023) and Aleo Varuna Specification (September 7th, 2023).
The review targeted specific sub-components of snarkVM, not the whole library. Unless otherwise noted, findings in their report are limited to the behavior within a specific component and may not fully consider behaviors that affect out-of-scope components.
Audit findings
Read the full NCC Group report: snarkVM
Read the full NCC Group report: snarkOS
NCC Group’s assessment uncovered several findings across the in-scope components, including:
Finding "Incorrect Ratification Bound Check" describes how the number of ratifications on a block may not be correctly enforced.
Finding "Batch Proof Building and Verifying May Skip Inputs" describes how some inputs may be omitted when building or verifying proofs.
Finding "Trailing Zeros in Polynomials After Arithmetic Operations or Random Generation" describes how inconsistent handling of leading zeros in polynomials may lead to panics or incorrect results.
Note that additional engagement notes and comments are provided in the “Engagement Notes” section in NCC Group’s report.
Audit resolution
Aleo responded by quickly resolving the 17 issues in Audit 1 to ensure our network's safety and security. The seven issues in Audit 2 are still active and pending review from NCC Group.
Audit 1:
Incorrect Ratification Bound Check
2. Batch Proof Building and Verifying Map Skip Inputs
3. Missing Sanity Checks Compared to the Aleo Protocol Spec
No Github link
4. Incorrect Logic in Speculation of Aborted Transactions
5. Missing Bounds Checks when Deserializing from Buffers
6. Leading Zeros in Polynomials After Arithmetic Operations or Random Generation
7. Function ID Hash Computations May Result In Collisions
8. Incomplete Reserved Keywords List
9. Missing Bound Check on Minimum Struct Entries
10. Inconsistent or Absent Bounds Checks on Inputs
11. Incorrect Polynomial Division When Both Operands Are Zero
12. Polynomial Serialization and Deserialization Does Not Strip Leading Zeros
13. Missing Subset Membership Check for Gamma Challenge
14. Incorrect Loop Exit Condition in Evaluation Generation
15. Outdated Dependencies, Cargo Audit Vulnerabilities and Missing Toolchain File
No Github link
16. Wrapped Shift Operators Do Not Follow Documented Semantics
17. Incorrect Random Vector Generation
After retesting, NCC Group found that most of the findings had been addressed. Out of a total of 17 original findings, 15 were marked as “Fixed,” one medium severity finding was marked as “Risk Accepted,” and one informational finding was marked as “Not fixed.”
Audit 2: Still active and pending review from NCC Group
1. Non-Committing Encryption Used in InputID::Private
2. Late/Distant Validation of Block Request Range
No Github link
3. Brittle Error Handling of NoiseState::Handshake
No Github link
4. Secret Key Stored in Plaintext File, Missing Permission Checks
No Github link
5. CLI Input Private Keys and Sensitive Values Not Zeroized
No Github link
6. Missing Validation of Transmission Response
No Github link
7. Leader Election Process Does Not Match Whitepaper
No Github link
zkSecurity
zkSecurity provides audits that assure companies that their offerings provide a security baseline. They conduct audits of zero-knowledge-proof systems, their applications, and the protocols that use them (for example, secure multi-party computation protocols).
Auditing Aleo’s synthesizer
zkSecurity audited Aleo’s synthesizer for use in the Aleo blockchain.
The Aleo synthesizer is the core protocol used in the deployment and execution of user programs on the Aleo blockchain. It wraps Varuna (Aleo's Marlin-based zero-knowledge proof system) and provides a high-level interface for users to deploy and execute programs and for the network to verify correct deployments and executions. (There is, in theory, a third flow supported by the synthesizer — the fee collection process — which is significantly less complex and which was omitted in zkSecurity’s report.)
zkSecurity was provided with a specification of Aleo covering some of the protocols behind the synthesizer and a specification of Varuna, Aleo's proof system.
zkSecurity used the `testnet3-audit-zks` branch (commit `9f5246d8c28afc0aef769b723eeaa4ec4a402b9c`). Included in the scope was the synthesizer part of the snarkVM, which lives in the synthesizer folder of the snarkVM repository.
Auditing Aleo’s consensus
Additionally, zkSecurity audited Aleo’s consensus for use in the Aleo blockchain.
zkSecurity used the `testnet3-audit-zks` branch (commit `9234cbee73666c7e6d00dfbdbcb947a244a43818`) of the snarkOS repository.
Included in the scope:
Aleo's Bullshark (the partially synchronous version) and Narwhal implementation for resharing and coming to consensus on a global order of transactions.
Aleo's high-level consensus logic in snarkOS (within some folders of snarkOS/node).
Aleo's ledger service, that has dependencies living in the snarkVM repository.
Note that some logic (like the puzzle mechanism) was out of scope, as it was planned for replacement.
Audit findings
Read the full zkSecurity report: Aleo synthesizer
Read the full zkSecurity report: Aleo consensus
In auditing Aleo’s synthesizer, the zkSecurity team found the code to be thoroughly documented, rigorously tested, and well-specified. In auditing Aleo’s consensus, the team found the code to be thoroughly documented and high-quality.
Audit resolution
Aleo responded by quickly resolving the 8 issues to ensure our network's safety and security. The issues we resolved:
1. Non-Committing Encryption Used in InputID::Private
2. Non-Committing Encryption Used in OutputID::Private
3. Incorrect Fiat-Shamir Transform in Circuit Certification
4. Proof Delegation is Subject to Truncation
No Github link
5. Proof Delegation Leaks User Signing Key
6. Caller Is Not Fixed Throughout Function Execution
7. Ambiguous Encoding in Varuna Fiat-Shamir Transcript
8. Merkle Leaf Indices Are Not Unique
No Github link
Securing the Aleo Network for mainnet
Aleo is an open-source software project. We fundamentally believe that more eyes equals more safety, which is why we not only engaged these auditors, but also are sharing the results of that work. Even though we’ve addressed the findings shared in these reports, the work is never over. The Aleo Team has always remained committed to transparency. And going forward, the Aleo Foundation stands ready to mobilize the community to address bugs that might come up in the future.
We’re ready for mainnet.
About Aleo
Our blog features the stories of developer and privacy advocates building a better internet with zero knowledge.
For further information contact us at hello@aleo.org
