Trail of Bits
Audit Open Original ↗

Dfinity Candid

Type

Security review

Client

Dfinity

Date

2023-11

Domain

Crypto

Effort

3 wks

Section

Cryptography Reviews

Trail of Bits's security review of Dfinity (Nov 2023) identified 16 issues: 1 high, 1 medium, 2 low, 10 informational, and 2 undetermined.

Findings · 16

  1. 1 Unmaintained dependency in candid_parser Informational
  2. 2 Insucient linter use Informational
  3. 3 Imprecise errors Informational
  4. 4 Unnecessary recursion Undetermined
  5. 5 The IDL allows for recursive cyclic types which should not be allowed Undetermined
  6. 6 Stack overflow in encoding/serialization path Medium
  7. 7 The fuzzing harnesses do not build Informational
  8. 8 The float32/float64 infinite signs are displayed incorrectly Informational
  9. 9 Incorrect arithmetic High
  10. 10 Inadequate recursion checks Low
  11. 11 TypeId::of functions could be optimized into a single function Informational
  12. 12 Deserialization correctness depends on the thread in which operations are performed Informational
  13. 13 External GitHub CI actions versions are not pinned Low
  14. 14 Inconsistent support for types in operators Informational
  15. 15 Recursion checks do not ensure stack frame size Informational
  16. 16 Misleading error message Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related