Security audit: 19 findings in grevm parallel EVM (GREVM-001 through GREVM-019)#97
Open
Richard1048576 wants to merge 1 commit intomainfrom
Open
Security audit: 19 findings in grevm parallel EVM (GREVM-001 through GREVM-019)#97Richard1048576 wants to merge 1 commit intomainfrom
Richard1048576 wants to merge 1 commit intomainfrom
Conversation
Internal security audit of grevm parallel EVM engine identified: - 3 CRITICAL: undefined behavior via invalid_reference_casting (7 instances), data race on ContinuousDetectSet, unsound concurrent ParallelState mutation - 3 HIGH: TOCTOU race in async_finality, deadlock risk in TxDependency, next_validation_idx double-increment race - 5 MEDIUM: panic in production paths, env var parsing, hardcoded ERC20 hints, println debug output, fork_join unsound mutation - 5 LOW + 3 INFO: bounds checks, TODOs, memory ordering, redundancy Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Internal security audit of the grevm parallel EVM engine (~3000 LOC) identified 19 findings.
The dominant issue is systematic use of
unsafealiasing (&T→&mut Tcasting) as a substitutefor proper interior mutability — this appears 7 times across the codebase and is the root cause
of the three CRITICAL findings.
invalid_reference_casting(7 instances across 5 files),data race on
ContinuousDetectSet::index_flag, unsound concurrent mutation ofParallelStatevia async commit thread
async_finality(status check-and-set not atomic), potentialdeadlock in
TxDependency::add()(inconsistent lock ordering),next_validation_idx()double-increment race (non-atomic check-then-increment)
panic!/assert!/unwrap()in production commit/scheduler paths,environment variable parsing crashes,
get_contract_type()hardcoded to ERC20,println!()debug output in production,fork_join_utilunsound parallel mutationDocumentation
docs/security/2026-02-26-security-audit-report.md— Full audit report with all 19 findingsdocs/security-fix-checklist.md— Tracking checklist for fixesRoot Cause Pattern
All three CRITICAL findings stem from
#[allow(invalid_reference_casting)]— the pattern of casting&Tto&mut Tvia raw pointer. This is instant UB under Rust's aliasing model. Files affected:src/scheduler.rs,src/async_commit.rs,src/utils.rs,src/hint.rs,src/storage.rs.Recommended approach: replace with
UnsafeCell-based abstractions (AtomicBool,Mutex,RwLock,or custom
Syncwrappers with documented safety invariants).Test plan
cargo +nightly miri testto verify UB fixesRUSTFLAGS="-Z sanitizer=thread" cargo +nightly testfor data race detectioncargo benchto verify no performance regression after fixesGREVM_CONCURRENT_LEVEL=32🤖 Generated with Claude Code