Malda: zk-coprocessor audit report
Project Information
CATEGORY
Smart Contracts, zkVM
NETWORK
RISC Zero ZKVM
WEBSITE
https://malda.xyz/
DESCRIPTION
From Jan. 20, 2025 to Feb. 18, 2025, Malda engaged Veridise to conduct a security assessment of their Malda lending protocol. The security assessment covered the Malda Rust programs intended to be run in the RISC Zero zkVM, as well as the Malda smart contracts, which together implement a cross-chain over-collateralized lending protocol. Following this review, Malda engaged Veridise from Mar. 24 to Mar. 27 to conduct a security assessment of the Malda L1 Inclusion feature. This report only focuses on the zk-coprocessor programs. A companion report discusses the findings from the coincident smart contract review. Veridise conducted the first assessment over 12 person-weeks, with 3 security analysts reviewing the project over 4 weeks. The second assessment occurred over 8 person-days, with 2 security analysts reviewing the project over 4 days. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts as well as thorough code review.
Audit Report
SCOPE
The scope of the initial security assessment at commit 5a570514 is limited to the following folders of the source code provided by the Malda developers, which contains the implementation of Malda:
- malda_rs/src/
- methods/guest/guest_utils/src/
- methods/guest/src/
- methods/src/
- patch/ethereum_hashing/src/
During the fix review, the directory methods/guest/guest_utils/src/ was removed, and its contents were moved to malda_utils/src.
The scope of the second security assessment at commit 2095dda1 is limited to the following folders of the source code provided by the developers:
- malda_utils/src
This includes all changes to the guest code (i.e. the verification logic checked on-chain) of the protocol.