Audits
CodeArena Zenith Audit

CodeArena Zenith Audit

From December 2024 to February 2025 the Unruggable Gateways codebase underwent a multipronged audit in collaboration with CodeArena (opens in a new tab).

Please see scoping.md for information that was provided to CodeArena in advance of the audit.

1. Zenith Private Audit

Commit hash: v1.0.0-audit-2024-11-22-rc.1 (opens in a new tab)

The Zenith audit was comprehensive and in-depth.

Two medium severity issues were found in our Scroll verifier as well as five low severity issues.

The discovered issues (opens in a new tab) were mitigated and an an audit report was produced by CodeArena.

Please see Zenith Audit Report - Unruggable.pdf for an indepth look at the findings.

2. Invitational Competitive Audit

Commit hash: v1.0.0-invitational-audit-2024-12-06-rc.2 (opens in a new tab)

The invitational audit involved five auditors selected by the CodeArena team. The selected wardens were provided with the following code walkthrough (opens in a new tab), and had direct contact with the Unruggable team through Discord, and the CodeArena invitational platform.

Two medium severity issues were found:

  • The Scroll verifier was not respecting the max depth of their zkTrie.
  • The verifier for OP Stack chains implementing fault proofs did not correctly respect the blacklist.

Both issues were mitigated, and these mitigations were reviewed (opens in a new tab).

A low severity issue was found pertaining to validations in the context of the unfinalized Arbitrum Nitro verifier. For strict correctness these additional validations were added but it is worth drawing the attention of users of this codebase to the fact that unfinalized verifiers are configured by users and their usage inherently involves relaxation of trust assumptions.

Changes implemented in response to the invitational audit can be found within the following Pull Request (opens in a new tab).

3. Additional Zenith Review

Based on discussion with the CodeArena team and the judge for the invitational audit, it was decided that a member of the Zenth audit team (@peakbolt) would undertake a further coverage check to ensure that the codebase had received appropriate audit coverage.

This additional review (opens in a new tab) uncovered one further Medium risk issue:

  • The OP stack verifier for chains not implementing fault proofs was not correctly considering finalizationPeriodSeconds.

This issue was mitigated using a GameFinder (binary search) approach to optimise finding appropriately finalised games from both the gateway and verifier code.

Additionally, two Low risk issues related to strict proof validation correctness were found. These issues were mitigated.

Evaluation LoopsCoinbase OPFault Audit