Succinct: SP1 Call Contract audit report
Project Information
CATEGORY
Zero-Knowledge Virtual Machines (zkVM)
NETWORK
SP1, Ethereum
WEBSITE
https://www.succinct.xyz/
DESCRIPTION
From June 23, 2025 to June 26, 2025, Succinct engaged Veridise to conduct a security assessment of their SP1 Call Contract. The security assessment covered the SP1 Call Contract library which allows developers to create proofs about block information and calls performed off-chain over on-chain state with the SP1 zkVM. Additionally, the security assessment covered a solidity library to validate the public information made available in a proof and an example zkVM application that queries Uniswap. Veridise conducted the assessment over 8 person-days, with 2 security analysts reviewing the project over 4 days. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts as well as thorough code review.
Audit Report
SCOPE
The scope of this security assessment is limited to the crates/client-executor/src/, contracts/src/ and examples/uniswap/ directories of the source code provided by the SP1 Call Contract developers. These directories contain the SP1 library implementation, smart contract validation library and uniswap example respectively. From these directories, the following files were in-scope:
- crates/client-executor/src/anchor.rs
- crates/client-executor/src/errors.rs
- crates/client-executor/src/io.rs
- crates/client-executor/src/lib.rs
- contracts/src/ContractCall.sol
- examples/uniswap/client/src/main.rs
- examples/uniswap/contracts/src/UniswapCall.so