Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Brevis>Discussion>Code duplication
GeneralOverview
Findings
Critical (4)
High (5)
Medium (5)
Low (12)
Informational (9)
DiscussionVarious possible simplifications and optimizationsAdditional validationLack of documentation or commentsMinor recommendationsCode duplicationConsistent usage of named constantsLists and tuples' ambiguous behavior when used recursivelyBehavior of bits2Bytes and addOutput for circuit variablesIncorrect hex string and parsing errors canceling each other outReferences to MiMC instead of PoseidonUnallocated inputs slots not constrainedKeccak padding function pad10*1Confusing function GroupBySetupVerification of Poseidon constantsTest suite
Audit ResultsAssessment Results

Code duplication

We observed several instances of duplicated code within and across repositories. For example, various functions were duplicated across the original scopes in the repos zk-bridge and zk-utils. In the scopes ultimately audited, we observed less duplication; however, some duplication is still present. For example, in the sdk repo, common/utils/binary.go only contains a function that exists identically in the zk-hash repo at utils/binary.go, which could be used instead. In zk-hash, the files keccak/keccakf/keccakf_old.go and keccak/keccakf/keccakf.go are mostly duplicate.

We recommend to avoid code duplication and instead refactor code to use a single implementation to prevent mistakes in the future, should the two implementations diverge.

Zellic © 2025Back to top ↑