Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>SP1 Helios>Critical findings>No test suite is in place
GeneralOverview
Findings
Critical (1)No test suite is in place
Medium (1)
Informational (3)
DiscussionLoss of the guardian role after calling the relinquishGuardian functionSuggestion for gas optimization
Threat ModelWhat are threat models?SP1HeliosSP1Helios.sol
Audit ResultsAssessment Results
Category: Code Maturity

No test suite is in place

Critical Impact
Critical Severity
N/A Likelihood

Description

The project lacks a test suite for both the verifier contract SP1Helios.sol and the SP1 Helios programs under the /program directory, which are used to generate ZK proofs. From integration tests for Helios with a node setup that supplies Beacon chain data to basic unit tests for core functions, these tests are critical to eliminate potential security risks in the project.

Impact

When building a complex contract ecosystem with multiple moving parts and dependencies, comprehensive testing is essential. This includes testing for both positive and negative scenarios. Positive tests should verify that each function’s side effect is as expected, while negative tests should cover every revert, preferably in every logical branch.

Good test coverage has multiple effects.

  • It finds bugs and design flaws early (preaudit or prerelease).

  • It gives insight into areas for optimization (e.g., gas cost).

  • It displays code maturity.

  • It bolsters customer trust in your product.

  • It improves understanding of how the code functions, integrates, and operates — for developers and auditors alike.

  • It increases development velocity long-term.

The last point seems contradictory, given the time investment to create and maintain tests. To expand upon that, tests help developers trust their own changes. It is difficult to know if a code refactor — or even just a small one-line fix — breaks something if there are no tests. This is especially true for new developers or those returning to the code after a prolonged absence. Tests have your back here. They are an indicator that the existing functionality most likely was not broken by your change to the code.

Due to the absence of a test suite, it can be difficult to verify whether the implemented functionalities in the project work exactly as intended by the developer, which may potentially lead to malfunctions.

Additionally, as the project evolves and its complexity increases, it will become more difficult to detect potential bugs that may arise during future expansion and maintenance.

Recommendations

If possible, a test suite that covers all integrations and functionalities within the project should be implemented. We recommend implementing at minimum mock-based unit tests for fundamental coverage.

Remediation

Zellic © 2025Back to top ↑