Boundless: Fulfilment Data audit report
Project Information
CATEGORY
Zero-Knowledge Virtual Machines (zkVM), Smart Contracts
NETWORK
Ethereum, RISC Zero
WEBSITE
https://boundless.network/
DESCRIPTION
From Sep. 11, 2025 to Sep. 18, 2025, Boundless engaged Veridise to conduct a security assessment of their Boundless Market. The security assessment covered on-chain and off-chain components of the Boundless Market related to the introduction of BitVM support. Compared to the previous version, which Veridise had audited previously, the new version covered an extension to the Boundless Market that introduces support for a Groth16 proof variant used in BitVM, which commits to a single digest BLAKE3 instead of multiple public values. Veridise conducted the assessment over 2 person-weeks, with 2 security analysts reviewing the project over 1 week. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts, as well as a thorough code review.
Audit Report
SCOPE
The scope of this security assessment is limited to the changes to the following files since the prior Veridise audit, which resolved at commit f0e5fc49:
- contracts/src/BoundlessMarket.sol
- contracts/src/IBoundlessMarket.sol
- contracts/src/types/AssessorCommitment.sol
- contracts/src/types/Fulfillment.sol
- contracts/src/types/FulfillmentData.sol
- contracts/src/types/Predicate.sol
- contracts/src/types/Requirements.sol
- crates/assessor/src/lib.rs
- crates/boundless-market/src/contracts/mod.rs
- crates/guest/assessor/assessor-guest/src/main.rs
These contain the smart contract and zkVM implementation of the Boundless Market: Fulfillment Data.