Assessment reports>IBC Eureka>Threat Model>Component: SP1ICS07Tendermint

Component: SP1ICS07Tendermint

Function: updateClient

The function verifies the public values via the SP1 verifier and updates the client and the consensus state.

Inputs

  • updateMsg

    • Control: Arbitrary.

    • Constraints: Must be a valid update — otherwise, the SP1 verifier will revert.

    • Impact: Updates the client and consensus state.

Branches and code coverage

Intended branches

Negative behavior

Function call analysis

  • VERIFIER.verifyProof

    • What is controllable? proof.vKey, proof.publicValues, and proof.proof.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire transaction would revert — no reentrancy scenarios.

Function: verifyMembership

The function verifies the public values via the SP1 verifier and verifies that the requested path/value is present in the output paths/values.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: Must be a valid membership proof — otherwise, the SP1 verifier will revert.

    • Impact: Returns the timestamp of the trusted consensus state if the requested path/value is found in the output.

Branches and code coverage

Intended branches

Negative behavior

Function call analysis

  • VERIFIER.verifyProof

    • What is controllable? proof.vKey, proof.publicValues, and proof.proof.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire transaction would revert — no reentrancy scenarios.

Function: verifyNonMembership

The function verifies the public values via the SP1 verifier and verifies that the requested path and empty value are present in the output paths/values.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: Must be a valid nonmembership proof — otherwise, the SP1 verifier will revert.

    • Impact: Returns the timestamp of the trusted consensus state if the requested path and empty values are found in the output.

Branches and code coverage

Intended branches

Negative behavior

Function call analysis

  • VERIFIER.verifyProof

    • What is controllable? proof.vKey, proof.publicValues, and proof.proof.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire transaction would revert — no reentrancy scenarios.

Function: misbehaviour

The function verifies the public values via the SP1 verifier, verifies the misbehavior output, and finally updates the frozen state.

Inputs

  • misbehaviourMsg

    • Control: Arbitrary.

    • Constraints: Must be a valid misbehavior SP1 proof — otherwise, the SP1 verifier will revert.

    • Impact: Sets the isFrozen state to true.

Branches and code coverage

Intended branches

Negative behavior

Function call analysis

  • VERIFIER.verifyProof

    • What is controllable? proof.vKey, proof.publicValues, and proof.proof.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire transaction would revert — no reentrancy scenarios.

Zellic © 2025Back to top ↑