Description:

Preparer and Auditor: Orijtech Inc.

Repository: https://github.com/celestiaorg/smt

Prepared for: Interchain Foundation and Celestiaorg

Date of analysis: July 10th 2021 to August 16th 2021

Focus: Finding bugs, vulnerabilities and oddities with the smt package

Methods applied:

• testing coverage checks
• fuzzed code using both dvyuokov/go-fuzz and google/gofuzz
• audited by reading through code, then red-teaming
• Isolated code and functionality audit
• added celestiaorg/smt to oss-fuzz per https://github.com/google/oss-fuzz/pull/6134
• Analysis of external dependency: this package has NO external dependencies outside of the Go standard library

Severity Classifications:

Classifications

Problems

Memory usage is not efficient, optimized as possible — Medium

• Allocated small slice then continuously appending to it (Fixed in #42)
  • https://github.com/celestiaorg/smt/blob/072abf024b2537318fd6c52af7c2af70a4a1ee54/treehasher.go#L35
  • https://github.com/celestiaorg/smt/blob/072abf024b2537318fd6c52af7c2af70a4a1ee54/treehasher.go#L57