vlayer audit report
Project Information
CATEGORY
Smart Contracts, zkVM
NETWORK
Ethereum
WEBSITE
https://www.vlayer.xyz/
DESCRIPTION
From Feb. 10, 2025 to Mar. 21, 2025, vlayer labs engaged Veridise to conduct a security assessment of vlayer. Veridise conducted the assessment over 12 person-weeks, with 2 security analysts reviewing the project over 6 weeks.
The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts as well as thorough code review.
Audit Report
SCOPE
The scope of this security assessment is limited to the Solidity contracts in the contracts /vlayer/src folder and the Rust files in the rust/ folder of the source code provided by the vlayer developers with the following exceptions:
- contracts/vlayer/src
- ImageID.sol
- proof_verifier/FakeProofVerifier.sol
- proof_verifier/ProofVerifierFactory.sol
- proof_verifier/ProofVerifierRouter.sol
- rust/
- Various test files
- cli/
- common/cli.rs
- common/rpc.rs
- trace.rs
- provider/
- range/
- server_utils/
- services/call/host/
- services/call/server/
- services/call/server_lib/
- services/chain/client/
- services/chain/db/
- services/chain/host/
- services/chain/mock_server/
- services/chain/server/
- services/chain/server_lib/
- services/chain/worker/
- services/dns/
- verifiable_dns/dns_over_https/
- verifiable_dns/verifiable_dns/
- version
Note that most of the host code, which communicates the inputs of the actual constrained execution of the zkVM, is out of scope.