Nervos SUDT

Findings · 9

1. 1 Docker-based contract build process depends on moleculec in PATH Low
2. 2 Use of an outdated ckb-c-stdlib dependency Low
3. 3 GCC versions 9.2 through 10.2 miscompile certain memcmp calls Informational
4. 4 Implementation of sbrk does not set errno upon failure Low
5. 5 Uninitialized variables are read Medium
6. 6 CKB-only cells invoke undefined behavior Medium
7. 7 Duplicated logic in the anyone-can-pay lock contract Informational
8. 8 The mbedtls library is built in non-production mode Undetermined
9. 9 nervosnetwork/riscv-newlib is severely outdated Low

Findings extracted from the published report PDF. See the full report below for details and remediation.