Boundless: Kailua audit report
Project Information
CATEGORY
L1/L2 blockchains
NETWORK
RISC Zero zkVM
WEBSITE
https://boundless.network/
DESCRIPTION
From Oct. 23, 2025 to Oct. 29, 2025, Boundless engaged Veridise to conduct a security assessment of their Kailua project. The security assessment covered parts of Kailua, a stateless Optimism client that derives and executes L2 blocks from L1 inputs and is designed to fit inside a zkVM for fault-proof proving. This is the fourth review Veridise has conducted on the Kailua project. Compared to the previous version of the code audited, the new version introduces the ability to pause and resume the derivation pipeline. The primary focus of this engagement was evaluating whether the pause/resume mechanism could be exploited to produce incorrect proofs. Veridise conducted the assessment over 12 person-days, with 3 security analysts reviewing the project over 4 days. The review strategy involved a thorough code review of the program source code performed by Veridise security analysts.
Audit Report
SCOPE
The scope of this security assessment is limited to a specific set of source files from the repository, as agreed upon with the Kailua developers:
- build/risczero/kona/src/main.rs
- crates/kona/src/blobs.rs
- crates/kona/src/config.rs
- crates/kona/src/executor.rs
- crates/kona/src/journal.rs
- crates/kona/src/lib.rs
- crates/kona/src/witness.rs
- crates/kona/src/client/core.rs
- crates/kona/src/client/stateless.rs
- crates/kona/src/client/stitching.rs
- crates/kona/src/oracle/local.rs
- crates/kona/src/oracle/mod.rs
- crates/kona/src/precondition/mod.rs