Skip to content

Security audit: Rounds 1-3 findings in grevm parallel EVM (GREVM-001 ~ R3-009)#97

Draft
Richard1048576 wants to merge 1 commit intomainfrom
security-audit-fixes
Draft

Security audit: Rounds 1-3 findings in grevm parallel EVM (GREVM-001 ~ R3-009)#97
Richard1048576 wants to merge 1 commit intomainfrom
security-audit-fixes

Conversation

@Richard1048576
Copy link
Collaborator

@Richard1048576 Richard1048576 commented Feb 26, 2026
edited
Loading

Summary

Multi-round internal security audit of the grevm parallel EVM engine (~3000 LOC).

Round 1 (2026-02-26): 19 findings

  • 3 CRITICAL — UB via invalid_reference_casting (7 instances), data race on ContinuousDetectSet::index_flag, unsound concurrent mutation of ParallelState
  • 3 HIGH — TOCTOU race in async_finality, potential deadlock in TxDependency::add(), next_validation_idx() double-increment
  • 5 MEDIUM + 5 LOW + 3 INFO

Round 2 (2026-03-02): 10 findings

  • 3 HIGH — UnsafeCell safety not type-enforced (→ CommitGuard fix), commit continues after nonce failure, empty partition causes invalid access
  • 4 MEDIUM + 3 INFO

Round 3 (2026-03-05): 11 findings

  • GREVM-R3-001 (HIGH): TOCTOU in async_finality still exploitable — lower_ts[txid] never updated by reset_validation_idx(txid+1)
  • GREVM-R3-002 (HIGH): CommitGuard does not prevent simultaneous mutable aliases — new() takes shared ref
  • GREVM-R3-003 (MEDIUM): Nonce expect+1 u64 overflow in assertion
  • GREVM-R3-004 (MEDIUM): Write set not cleaned on EVM error re-execution
  • GREVM-R3-005 (MEDIUM): key_tx dependency race with concurrent commit
  • GREVM-R3-006 (MEDIUM): Coinbase skip in update_mv_memory hides user ETH transfers
  • GREVM-R3-007~009 (LOW): ERC20 slot inconsistency, results.push before error check, lazy_reward guard

Fix Verification (Round 3)

Fix Status
GREVM-004 (TOCTOU) Still exploitable
GREVM-006 (CAS loop) Not implemented — checklist incorrectly marks done
GREVM-R2-001 (CommitGuard) Incomplete — type-level enforcement missing
All other fixes Correctly applied

Cross-Module Findings

  • VM validation disabled + grevm nonce check disabled + nonce assert_eq! = no non-crashing nonce path
  • Mint precompile Arc<Mutex<ParallelState>> incompatible with MVMemory
  • panic = "abort" bypasses fallback_sequential() entirely

Cumulative Statistics

Severity R1 R2 R3 Total
CRITICAL 3 0 0 3
HIGH 3 3 2 8
MEDIUM 5 4 4 13
LOW 5 0 3 8
INFO 3 3 2 8
Total 19 10 11 40

Documentation

  • docs/security/2026-02-26-security-audit-report.md — Round 1
  • docs/security/2026-03-02-security-audit-round2-report.md — Round 2
  • docs/security-fix-checklist.md — Fix tracking

Test plan

  • cargo +nightly miri test — verify UB fixes
  • RUSTFLAGS="-Z sanitizer=thread" cargo +nightly test — data race detection
  • cargo bench — no performance regression
  • Verify TOCTOU fix (re-check status after lock re-acquisition)
  • Verify CommitGuard fix (consume &mut UnsafeCell)

🤖 Generated with Claude Code

@nekomoto911 nekomoto911 marked this pull request as draft March 2, 2026 04:52
@AshinGau AshinGau mentioned this pull request Mar 4, 2026
Merged
@Richard1048576 Richard1048576 changed the title Security audit: 19 findings in grevm parallel EVM (GREVM-001 through GREVM-019) Security audit: Rounds 1-3 findings in grevm parallel EVM (GREVM-001 ~ R3-009) Mar 5, 2026
AshinGau added a commit that referenced this pull request Mar 9, 2026
@AshinGau @Richard1048576
@claude @nekomoto911
fix(security): Security audit, fix security findings in grevm paralle…
45cbc41 
…l EVM (#99)

follow #97

---------

Co-authored-by: Richard <xunqiu2@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: nekomoto911 <nekomoto911@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Richard1048576