Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: mention security audits #244

Merged
merged 14 commits into from
Aug 20, 2024
Merged

docs: mention security audits #244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d4f8f75
Created AUDITS.md, included details from Cantina Finding
CanonicalJP Aug 6, 2024
f0f2d98
Update AUDITS.md, added Certora's detail
CanonicalJP Aug 6, 2024
1f6553d
Updated AUDITS.md
CanonicalJP Aug 6, 2024
5094ba6
Updated AUDITS.md
CanonicalJP Aug 7, 2024
0ef616b
Updated README.md
CanonicalJP Aug 7, 2024
1e0240f
Updated AUDITS.md
CanonicalJP Aug 7, 2024
4634c2e
docs: polish security document
PaulRBerg Aug 13, 2024
7c4433f
Created AUDITS.md, included details from Cantina Finding
CanonicalJP Aug 6, 2024
dfabd41
Update AUDITS.md, added Certora's detail
CanonicalJP Aug 6, 2024
507d0f7
Updated AUDITS.md
CanonicalJP Aug 6, 2024
05edf79
Updated AUDITS.md
CanonicalJP Aug 7, 2024
3957e53
Updated README.md
CanonicalJP Aug 7, 2024
5e0b10a
Updated AUDITS.md
CanonicalJP Aug 7, 2024
638cdaa
docs: polish security document
PaulRBerg Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,8 +392,8 @@ You will need the following VSCode extensions:

## Security

While I set a high bar for code quality and test coverage, you should not assume that this project is completely safe to use. PRBMath has not yet been
audited by a third-party security researcher.
The codebase has undergone audits by leading security experts from Cantina and Certora. For a comprehensive list of all audits conducted, see the
[SECURITY](./SECURITY.md) file.

### Caveat Emptor

Expand Down
26 changes: 26 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Security

The PRBMath codebase has undergone audits by leading security experts from Cantina and Certora.

| :warning: | Audits are not a guarantee of correctness. Some parts of the code base were modified after they were audited. |
| --------- | :------------------------------------------------------------------------------------------------------------ |

All issues have been timely addressed and are fixed in the latest version of PRBMath.

| Auditor | Type | Initial Commit | Report |
| :------ | :--- | :------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- |
| Certora | Firm | [prb-math@v4.0.0](https://github.com/PaulRBerg/prb-math/tree/v4.0.0) | [2023-07-12](https://medium.com/certora/problems-in-solidity-fixed-point-libraries-certora-bug-disclosure-987f504daca4) |
| Cantina | Firm | [prb-math@v3.3.3](https://github.com/PaulRBerg/prb-math/tree/v3.3.2) | [2023-06-08](https://github.com/sablier-labs/audits/blob/6567df3fa42b90663e3e694b1e776c6db337a3f2/v2-core/cantina-2023-06-08.pdf) |

## Cantina Review

Cantina performed an audit of [Sablier Lockup](https://github.com/sablier-labs/v2-core) in June 2023, which included `prb-math@v3.3.3` in scope. Their
report included a finding in PRBMath:

> 3.2.3 PRBMath pow() function can return inconsistent values

The issue has been fixed in this PR: https://github.com/PaulRBerg/prb-math/pull/179

## Certora Review

The rounding modes were not explicitly documented. This issue was fixed in [v4.0.1](https://github.com/PaulRBerg/prb-math/releases/tag/v4.0.1).