Aleo completes security audits of snarkOS & snarkVM
December 29, 2023

Aleo completes security audits of snarkOS & snarkVM

As Aleo approaches mainnet, it’s vital to assess the security and integrity of our codebase. We engaged three independent security research firms — Trail of Bits, NCC Group, and zkSecurity — to audit snarkOS and snarkVM, the backbone of the Aleo Network.

Over 18 weeks, auditors reviewed the security of Aleo’s snarkOS and snarkVM components:

  • snarkOS: Each firm reviewed snarkOS, focusing on the Bullshark BFT implementation, inter-node communication, and resistance to Denial of Service (DoS).

  • snarkVM: Each firm reviewed snarkVM, focusing on the synthesizer and ledger implementation, with an eye towards alignment to the “Aleo Protocol Specification,” alignment with the formal Aleo grammar, data serialization and deserialization, and transaction and block verification functions.

Trail of Bits

Trail of Bits specializes in software testing, code review projects, and blockchain security. They combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

The Trail of Bits team used static analysis tools in the snarkOS and snarkVM codebases to identify areas of code with code quality issues and to obtain a test coverage report. Additionally, they used Semgrep and Dylint to find and confirm variants of manually found API misuses.

Their testing efforts focused on ensuring the robustness of interfaces handling unvalidated data and finding discrepancies between specifications and implementation. The team had full access to the source code and documentation, enabling them to perform static and dynamic testing of the codebase using automated and manual processes.  

Audit findings

Read the full Trail of Bits report

Trail of Bits found that the Aleo codebase is generally very robust to malicious or malformed data and correctly validates its data structures. All of their data validation findings are of informational severity, except for the low-severity findings, which could enable denial-of-service (DoS) attacks due to missing data validation when decentralizing some data structures. 

However, Trail of Bits identified an important function in the consensus algorithm that almost always returns false due to a typo in the implementation. Lastly, the team found a medium severity issue related to the use of unpinned GitHub actions.

Audit resolution

Aleo responded by resolving the 31 issues quickly to ensure the safety and security of our Network. The issues we resolved:

  1. Denial of service vectors in FromBytes implementations

2. Faulty validation enables more than the intended number of inputs on finalize commands

3. Parsing Differences between the aleo.abnf grammar and the implementation

4. Function, Closure, and Finalize deserialization routines allow large memory allocations

5. Unvalidated destination type for Commit instructions

6. Unnecessary overflow checks

7. Missing upper bound validation with MAX_STRUCT_ENTRIES

8. Discrepancies between the matches_record function implementation and its documentation

9. The /testnet3/node/env API endpoint provides binary path and repository information

10. Peer maximum message limit is off-by-one

11. The peers request/response flow allows local IP with non-node port

12. The refresh_and_insert function may not return previously seen timestamp

13. Structure serialization does not declare the correct number of fields

14. Potential overflow in total finalize cost

15. The is_sequential function allows u64::MAX to 0 transitions

  • Won't fix, `previous` will not overflow based on usage

16. Requesting more peers may not use newly connected peers

  • Won't fix, no vulnerability, however, open to improvements in the future

17. Committee::new allows creating genesis committees with more than four members

  • Won't fix, `Committee::new` used for testing

18. GitHub CI actions versions are not pinned

  • Won't fix at this time, does not touch any unit tests

19. The committee sorting tests do not consider if the validator is open to staking

20. Impossible match case in authority verification routine

21. The BFT::is_linked function does not properly determine if two certificates are linked

22. Peer is not removed from connecting_peers when handshake timed out

23. Rest API allows any origin

24. Garbage collection does not collect the next_gc_round

25. Fee verification is off-by-one

26. Block reward potential truncation and overflow

27. Saturated adds and subtractions can cause inconsistencies

28. IndexSet::remove does not preserve the order of the IndexMap

  • Won't fix: Ordering does not matter

29. The batch certificate id calculation does not include the number of signatures in the preimage

  • Won't fix: BatchCertificate serialization has changed

30. Missing validations in block metadata and header validation functions

  • Nothing to fix.

- solutions root can be zero.

- `cumulative_weight`, `proof_targets`, and `last_coinbase_target` checks are done in BlockHeader

31. The order of the saturating_add and checked_sub operations matters

  • Won't fix: Method has been deprecated

NCC Group

NCC Group is a world-leading global provider of software resilience and business continuity solutions. The firm protects software customers from unforeseen technology disruption, ensuring their critical services are always available. 

Aleo engaged NCC Group’s Cryptography Services team to conduct an implementation review of several components of snarkVM. NCC Group’s evaluation targeted the snarkVM repository at, on branch testnet3-audit-ncc, at commit 0b151b9. 

The following components were in scope:

  • synthesizer: Responsible for translating higher-level code into circuits that are compatible with the underlying zk-SNARK proof system.

  • algorithms: Implementation and execution of the proof system and the primitives needed to support it.

  • ledger: Data structures and methods for storing and interacting with the Aleo blockchain.

NCC Group’s review was supplemented with the documentation at and the Documents DRAFT: Aleo Protocol Specification (August 11, 2023) and Aleo Varuna Specification (September 7th, 2023).

The review targeted specific sub-components of snarkVM, not the whole library. Unless otherwise noted, findings in their report are limited to the behavior within a specific component and may not fully consider behaviors that affect out-of-scope components.

Audit findings

Read the full NCC Group report: snarkVM

Read the full NCC Group report: snarkOS

NCC Group’s assessment uncovered several findings across the in-scope components, including:

  • Finding "Incorrect Ratification Bound Check" describes how the number of ratifications on a block may not be correctly enforced.

  • Finding "Batch Proof Building and Verifying May Skip Inputs" describes how some inputs may be omitted when building or verifying proofs.

  • Finding "Trailing Zeros in Polynomials After Arithmetic Operations or Random Generation" describes how inconsistent handling of leading zeros in polynomials may lead to panics or incorrect results.

Note that additional engagement notes and comments are provided in the “Engagement Notes” section in NCC Group’s report.

Audit resolution

Aleo responded by quickly resolving the 17 issues in Audit 1 to ensure our network's safety and security. The seven issues in Audit 2 are still active and pending review from NCC Group.

Audit 1:

  1. Incorrect Ratification Bound Check

2. Batch Proof Building and Verifying Map Skip Inputs

3. Missing Sanity Checks Compared to the Aleo Protocol Spec

  • No Github link

4. Incorrect Logic in Speculation of Aborted Transactions

5. Missing Bounds Checks when Deserializing from Buffers

6. Leading Zeros in Polynomials After Arithmetic Operations or Random Generation

7. Function ID Hash Computations May Result In Collisions

8. Incomplete Reserved Keywords List

9. Missing Bound Check on Minimum Struct Entries

10. Inconsistent or Absent Bounds Checks on Inputs

11. Incorrect Polynomial Division When Both Operands Are Zero

12. Polynomial Serialization and Deserialization Does Not Strip Leading Zeros

13. Missing Subset Membership Check for Gamma Challenge

14. Incorrect Loop Exit Condition in Evaluation Generation

15. Outdated Dependencies, Cargo Audit Vulnerabilities and Missing Toolchain File

  • No Github link

16. Wrapped Shift Operators Do Not Follow Documented Semantics

17. Incorrect Random Vector Generation

After retesting, NCC Group found that most of the findings had been addressed. Out of a total of 17 original findings, 15 were marked as “Fixed,” one medium severity finding was marked as “Risk Accepted,” and one informational finding was marked as “Not fixed.” 

Audit 2: Still active and pending review from NCC Group

1. Non-Committing Encryption Used in InputID::Private

2. Late/Distant Validation of Block Request Range

  • No Github link

3. Brittle Error Handling of NoiseState::Handshake

  • No Github link

4. Secret Key Stored in Plaintext File, Missing Permission Checks

  • No Github link

5. CLI Input Private Keys and Sensitive Values Not Zeroized

  • No Github link

6. Missing Validation of Transmission Response

  • No Github link

7. Leader Election Process Does Not Match Whitepaper

  • No Github link


zkSecurity provides audits that assure companies that their offerings provide a security baseline. They conduct audits of zero-knowledge-proof systems, their applications, and the protocols that use them (for example, secure multi-party computation protocols). 

Auditing Aleo’s synthesizer

zkSecurity audited Aleo’s synthesizer for use in the Aleo blockchain. 

The Aleo synthesizer is the core protocol used in the deployment and execution of user programs on the Aleo blockchain. It wraps Varuna (Aleo's Marlin-based zero-knowledge proof system) and provides a high-level interface for users to deploy and execute programs and for the network to verify correct deployments and executions. (There is, in theory, a third flow supported by the synthesizer — the fee collection process — which is significantly less complex and which was omitted in zkSecurity’s report.)

zkSecurity was provided with a specification of Aleo covering some of the protocols behind the synthesizer and a specification of Varuna, Aleo's proof system.

zkSecurity used the `testnet3-audit-zks` branch (commit `9f5246d8c28afc0aef769b723eeaa4ec4a402b9c`). Included in the scope was the synthesizer part of the snarkVM, which lives in the synthesizer folder of the snarkVM repository. 

Auditing Aleo’s consensus 

Additionally, zkSecurity audited Aleo’s consensus for use in the Aleo blockchain. 

zkSecurity used the `testnet3-audit-zks` branch (commit `9234cbee73666c7e6d00dfbdbcb947a244a43818`) of the snarkOS repository. 

Included in the scope:

  • Aleo's Bullshark (the partially synchronous version) and Narwhal implementation for resharing and coming to consensus on a global order of transactions. 

  • Aleo's high-level consensus logic in snarkOS (within some folders of snarkOS/node). 

  • Aleo's ledger service, that has dependencies living in the snarkVM repository. 

Note that some logic (like the puzzle mechanism) was out of scope, as it was planned for replacement.

​​Audit findings 

Read the full zkSecurity report: Aleo synthesizer

Read the full zkSecurity report: Aleo consensus

In auditing Aleo’s synthesizer, the zkSecurity team found the code to be thoroughly documented, rigorously tested, and well-specified. In auditing Aleo’s consensus, the team found the code to be thoroughly documented and high-quality. 

Audit resolution

Aleo responded by quickly resolving the 8 issues to ensure our network's safety and security. The issues we resolved:

1. Non-Committing Encryption Used in InputID::Private

2. Non-Committing Encryption Used in OutputID::Private

3. Incorrect Fiat-Shamir Transform in Circuit Certification

4. Proof Delegation is Subject to Truncation

  • No Github link

5. Proof Delegation Leaks User Signing Key

6. Caller Is Not Fixed Throughout Function Execution

7. Ambiguous Encoding in Varuna Fiat-Shamir Transcript

8. Merkle Leaf Indices Are Not Unique

  • No Github link

Securing the Aleo Network for mainnet 

Aleo is an open-source software project. We fundamentally believe that more eyes equals more safety, which is why we not only engaged these auditors, but also are sharing the results of that work. Even though we’ve addressed the findings shared in these reports, the work is never over. The Aleo Team has always remained committed to transparency. And going forward, the Aleo Foundation stands ready to mobilize the community to address bugs that might come up in the future. 

We’re ready for mainnet.