Description

Several functions use short, abbreviated variables names such as kptr, pptr, fptr, and prm.

Impact

The finding does not have a direct security impact, but we believe it may lead to future bugs. Although this practice is common in C code, we nevertheless recommend against it. Variable names like these can lead to developer confusion, and ultimately, bugs. These variable names may also lead to the inadvertent misuse of the incorrect variable in place of the correct one. These simple coding mistakes are easy-to-make, hard-to-catch, and often critical in nature. It also makes the code more difficult for auditors and external developers to read, understand, and extend.

Recommendations

Given the security-critical and high-assurance nature of the project, we recommend using longer, clearer, and more specific variable names in the future. For instance, pc_price_t *pptr could be instead named pc_price_t *price_ptr. Of course, customary variable names such as i for loop indices or n for count variables are still fine.

Remediation

The finding has been acknowledged by Pyth Data Association. Their official response is reproduced below:

Pyth Data Association acknowledges the finding, but doesn't believe it has security implications. However, we may deploy a bug fix to address it.