Trail of Bits
Audit Open Original ↗

Anza Token-2022 Confidential Transfer, Blockchain

Type

Security review

Client

Anza

Date

2026-01

Domain

Blockchain

Effort

3 wks

Section

Solana

Trail of Bits's security review of Anza (Jan 2026) identified 6 issues: 2 low, and 4 informational.

Findings · 6

  1. 1 Unused commitments are not verified to be zero Informational
  2. 2 BatchedRangeProofContext TryInto assumes all used commitments are nonzero Low
  3. 3 VecPoly1::eval can panic on malformed structs Informational
  4. 4 Auditor pubkey validation differs between confidential mint/burn and transfer operations Informational
  5. 5 from_bytes functions lack length checks Informational
  6. 6 verify_mint_proof and verify_burn_proof do not handle mixed-mode calls correctly Low

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related