From 95f00b2ef77c77a8b167fe83b562ed55abf1a205 Mon Sep 17 00:00:00 2001 From: Paul Razvan Berg Date: Tue, 20 Aug 2024 09:41:56 +0200 Subject: [PATCH] docs: mention security audits (#244) * Created AUDITS.md, included details from Cantina Finding Created draft version with details of Cantina's review * Update AUDITS.md, added Certora's detail Added the details about the security bug made by Certora and refactored the text * Updated AUDITS.md * Updated AUDITS.md * Updated README.md * Updated AUDITS.md * docs: polish security document * Created AUDITS.md, included details from Cantina Finding Created draft version with details of Cantina's review * Update AUDITS.md, added Certora's detail Added the details about the security bug made by Certora and refactored the text * Updated AUDITS.md * Updated AUDITS.md * Updated README.md * Updated AUDITS.md * docs: polish security document --------- Co-authored-by: JP <89362795+0xJayPi@users.noreply.github.com> --- README.md | 4 ++-- SECURITY.md | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 7618744..699bc8f 100644 --- a/README.md +++ b/README.md @@ -392,8 +392,8 @@ You will need the following VSCode extensions: ## Security -While I set a high bar for code quality and test coverage, you should not assume that this project is completely safe to use. PRBMath has not yet been -audited by a third-party security researcher. +The codebase has undergone audits by leading security experts from Cantina and Certora. For a comprehensive list of all audits conducted, see the +[SECURITY](./SECURITY.md) file. ### Caveat Emptor diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..42070cf --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,26 @@ +# Security + +The PRBMath codebase has undergone audits by leading security experts from Cantina and Certora. + +| :warning: | Audits are not a guarantee of correctness. Some parts of the code base were modified after they were audited. | +| --------- | :------------------------------------------------------------------------------------------------------------ | + +All issues have been timely addressed and are fixed in the latest version of PRBMath. + +| Auditor | Type | Initial Commit | Report | +| :------ | :--- | :------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | +| Certora | Firm | [prb-math@v4.0.0](https://github.com/PaulRBerg/prb-math/tree/v4.0.0) | [2023-07-12](https://medium.com/certora/problems-in-solidity-fixed-point-libraries-certora-bug-disclosure-987f504daca4) | +| Cantina | Firm | [prb-math@v3.3.3](https://github.com/PaulRBerg/prb-math/tree/v3.3.2) | [2023-06-08](https://github.com/sablier-labs/audits/blob/6567df3fa42b90663e3e694b1e776c6db337a3f2/v2-core/cantina-2023-06-08.pdf) | + +## Cantina Review + +Cantina performed an audit of [Sablier Lockup](https://github.com/sablier-labs/v2-core) in June 2023, which included `prb-math@v3.3.3` in scope. Their +report included a finding in PRBMath: + +> 3.2.3 PRBMath pow() function can return inconsistent values + +The issue has been fixed in this PR: https://github.com/PaulRBerg/prb-math/pull/179 + +## Certora Review + +The rounding modes were not explicitly documented. This issue was fixed in [v4.0.1](https://github.com/PaulRBerg/prb-math/releases/tag/v4.0.1).