The security of the Ethereum protocol is continually being improved, and one recent effort is the external security review of the Pectra System Contracts.
The results of this review can be found in the audits repository, and the TL;DR is that all discovered issues deemed relevant or important from these reviews have been addressed.
Audit Scope and Methodology
The Pectra System Contracts encompass several EIPs (EIP-2935, EIP-7002, and EIP-7251), and reviews were primarily done to:
- Evaluate the contracts for potential attack vectors.
- Ensure that the contract logic accurately implements the intended functionality as per the EIP specifications.
A multi-phase approach was taken, with each audit building upon the findings of previous ones:
- Blackthorn Audit
- Dedaub Audits
- PlainShift Audit
- Sigma Prime Audit
Between each review, code improvements were made before proceeding to the next round of audits.
Formal Verification
In addition to the security reviews listed above, a16z conducted a Formal Verification using Halmos.
They used Halmos to formally verify the functional correctness of these contracts. This specifically focused on whether the bytecode aligned with the spec, rather than evaluating the security of the spec itself against potential abuse or malicious use. This separation of concerns allows auditors and the community to review the spec without worrying about low-level bytecode implementation details.
Next Steps
The full reports can be found in the Pectra System Contracts Audits repository.
A bug bounty competition is currently running on Cantina has rewards of up to $2,000,000 for findings related to Pectra.
As always, the security of the Ethereum ecosystem is a collective effort. We extend our gratitude to all the auditors and contributors who have played an important part in this process!
