Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Brevis>Discussion>Test suite
GeneralOverview
Findings
Critical (4)
High (5)
Medium (5)
Low (12)
Informational (9)
DiscussionVarious possible simplifications and optimizationsAdditional validationLack of documentation or commentsMinor recommendationsCode duplicationConsistent usage of named constantsLists and tuples' ambiguous behavior when used recursivelyBehavior of bits2Bytes and addOutput for circuit variablesIncorrect hex string and parsing errors canceling each other outReferences to MiMC instead of PoseidonUnallocated inputs slots not constrainedKeccak padding function pad10*1Confusing function GroupBySetupVerification of Poseidon constantsTest suite
Audit ResultsAssessment Results

Test suite

For a large codebase with multiple moving parts and dependencies, comprehensive testing is essential.

Therefore, we recommend building a rigorous test suite that tests all functionalities, not just with integration tests but also through tests of individual functions, to ensure that the system operates as intended.

During our audit, we noticed that while tests were present for many functions, they often only tested particular hardcoded inputs. We recommend to, as far as possible, test random samples across the entire range of possible inputs, along with possibly hardcoded, handpicked test inputs for rare edge cases. For example, Finding ref could have been found by tests if the Keccak padding function had been tested with inputs of varying lengths, by comparing against external implementations of Keccak and its padding function.

Note that for proof circuits, tests can generally only test for completeness. The most serious bugs are often underconstraints that make the circuit unsound, and these bugs cannot be found with normal testing. Thus, comprehensive testing should be considered complementary to thorough manual review.

Zellic © 2025Back to top ↑