The protection of the Ethereum protocol is consistently being enhanced, and a recent initiative includes the independent security assessment of the Pectra System Contracts.
The findings from this assessment are available in the audits repository, and the TL;DR states that all identified issues considered significant or relevant have been resolved.
Audit Scope and Methodology
The Pectra System Contracts include multiple EIPs (EIP-2935, EIP-7002, and EIP-7251), with reviews mainly conducted to:
- Examine the contracts for possible attack vectors.
- Verify that the contract logic faithfully implements the intended functionality according to the EIP specifications.
A multi-stage strategy was employed, with each audit building upon the insights gained from prior assessments:
- Blackthorn Audit
- Dedaub Audits
- PlainShift Audit
- Sigma Prime Audit
Between each assessment, code enhancements were implemented before the subsequent round of audits commenced.
Formal Verification
Alongside the security evaluations outlined above, a16z performed a Formal Verification using Halmos.
They employed Halmos to formally confirm the functional accuracy of these contracts. This specifically concentrated on whether the bytecode corresponded with the specifications, rather than assessing the security of the specifications against potential abuse or malicious exploitation. This delineation of concerns permits auditors and the community to scrutinize the specifications without being encumbered by low-level bytecode implementation specifics.
Next Steps
The comprehensive reports can be accessed in the Pectra System Contracts Audits repository.
A bug bounty contest is presently underway on Cantina, offering rewards of up to $2,000,000 for discoveries related to Pectra.
As ever, the security of the Ethereum ecosystem is a shared endeavor. We express our appreciation to all the auditors and contributors who have been vital to this initiative!