Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>SP1 Helios>Threat Model>update
GeneralOverview
Findings
Critical (1)
Medium (1)
Informational (3)
DiscussionLoss of the guardian role after calling the relinquishGuardian functionSuggestion for gas optimization
Threat ModelWhat are threat models?SP1Helios
SP1Helios.solchangeGuardianrelinquishGuardianupdateupdateLightClientVkeyupdateStorageSlotupdateStorageSlotVkey
Audit ResultsAssessment Results

Function: update(bytes proof, uint256 newHead, byte[32] newHeader, byte[32] executionStateRoot, uint256 _executionBlockNumber, byte[32] syncCommitteeHash, byte[32] nextSyncCommitteeHash, StorageSlot[] _storageSlots)

This function is used to update the light client with a new header, execution-state root, and sync committee when it changes. All the inputs are verified against the proof provided, and the state of the light client is updated accordingly. In addition, the storage slots are updated with the provided values.

The proof is expected to be generated by the SP1 Helios light-client program, which is a zkSNARK program that verifies the validity of the new header, execution-state root, and sync committee against the previous state of the light client. The verifier key is expected to be LIGHT_CLIENT_ELF of the SP1 Helios light-client program.

Inputs

  • proof

    • Control: Arbitrary.

    • Constraints: Verified in the verifier contract.

    • Impact: The proof bytes for the SP1 Helios light-client proof.

  • newHead

    • Control: Arbitrary.

    • Constraints: Must be greater than the current head, divisible by 32, and a checkpoint slot, which is verified against the proof.

    • Impact: The slot of the new head.

  • newHeader

    • Control: Arbitrary.

    • Constraints: None, but verified against the proof.

    • Impact: The new beacon block-header hash.

  • executionStateRoot

    • Control: Arbitrary.

    • Constraints: None, but verified against the proof.

    • Impact: The execution-state root from the execution payload of the new beacon block.

  • _executionBlockNumber

    • Control: Arbitrary.

    • Constraints: None, but verified against the proof.

    • Impact: The execution block number.

  • syncCommitteeHash

    • Control: Arbitrary.

    • Constraints: None, but verified against the proof.

    • Impact: The sync-committee hash of the current period.

  • nextSyncCommitteeHash

    • Control: Arbitrary.

    • Constraints: If the next sync committee is defined, it must match the expected value and be verified against the proof.

    • Impact: The sync-committee hash of the next period.

  • _storageSlots

    • Control: Arbitrary.

    • Constraints: None, but verified against the proof.

    • Impact: The updated storage slots.

Branches and code coverage

Intended branches

  • Call the verifier contract to verify the proof with inputs.

  • Update the light-client state with the new head, header, execution-state root, and sync committee.

  • Update the storage slots with the provided values.

Negative behavior

  • Revert if the sync committee for the current head is not set.

  • Revert if the new head is behind the current head.

  • Revert if the new head is not a checkpoint slot (divisible by 32).

  • Revert if the next sync committee is defined but does not match the expected value.

Function call analysis

  • ISP1Verifier(this.verifier).verifyProof(this.lightClientVkey, abi.encode(po), proof)

    • What does this do? The proof provided by the user is verified through the SP1 verifier contract along with the associated public values.

    • If the return value is controllable, how is it used and how can it go wrong? The verifier contract should be trusted, as it is a core part of the SP1 Helios light client. If the proof is invalid, it will revert.

    • What happens if it reverts, reenters or does other unusual control flow? Reverts from this call means that the proof is invalid, which is expected behavior.

Zellic © 2025Back to top ↑