Skip to content

fix(L-01): prevent uninitialized roots from being used #1586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nadir-akhtar merged 1 commit into from
Aug 8, 2025
Merged

fix(L-01): prevent uninitialized roots from being used #1586

nadir-akhtar merged 1 commit into from
Aug 8, 2025

Conversation

@nadir-akhtar
Copy link
Collaborator

@nadir-akhtar nadir-akhtar commented Aug 4, 2025
edited
Loading

Motivation:

Uninitialized roots can lead to issues like the Nomad bridge hack.

Modifications:

  • New error code and documentation
  • Added require statements for verifyInclusion(Keccak|SHA256)
  • Updated documentation for existing error code

Result:

Guard against unintialized roots being used in proofs

@nadir-akhtar nadir-akhtar changed the base branch from main to release-dev/merkle-audit-fixes August 4, 2025 20:07
ypatil12
ypatil12 approved these changes Aug 7, 2025
View reviewed changes
Copy link
Collaborator

@ypatil12 ypatil12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nadir-akhtar nadir-akhtar force-pushed the nadir/l-01-uninitialized-roots branch from 0031c85 to 4644613 Compare August 8, 2025 20:30
@nadir-akhtar nadir-akhtar merged commit 30ec964 into release-dev/merkle-audit-fixes Aug 8, 2025
9 checks passed
@nadir-akhtar nadir-akhtar deleted the nadir/l-01-uninitialized-roots branch August 8, 2025 21:17
nadir-akhtar added a commit that referenced this pull request Aug 12, 2025
@nadir-akhtar
fix(L-01): prevent uninitialized roots from being used (#1586)
2e9066c 
<!-- 
    🚨 ATTENTION! 🚨 
    
This PR template is REQUIRED. PRs not following this format will be
closed without review.
    
    Requirements:
- PR title must follow commit conventions:
https://www.conventionalcommits.org/en/v1.0.0/
- Label your PR with the correct type (e.g., 🐛 Bug, ✨ Enhancement, 🧪
Test, etc.)
    - Provide clear and specific details in each section
-->

**Motivation:**

Uninitialized roots can lead to issues like the [Nomad bridge
hack](https://medium.com/nomad-xyz-blog/nomad-bridge-hack-root-cause-analysis-875ad2e5aacd).

**Modifications:**

* New error code and documentation
* Added require statements for `verifyInclusion(Keccak|SHA256)`
* Updated documentation for existing error code

**Result:**

Guard against unintialized roots being used in proofs
nadir-akhtar added a commit that referenced this pull request Aug 13, 2025
@nadir-akhtar
fix(audit): merkle library audit fixes (#1606)
dba4a18 
<!-- 
    🚨 ATTENTION! 🚨 
    
This PR template is REQUIRED. PRs not following this format will be
closed without review.
    
    Requirements:
- PR title must follow commit conventions:
https://www.conventionalcommits.org/en/v1.0.0/
- Label your PR with the correct type (e.g., 🐛 Bug, ✨ Enhancement, 🧪
Test, etc.)
    - Provide clear and specific details in each section
-->

**Motivation:**

In response to a recent audit report, we are closing out Lows and Infos
related to the Merkle library.

**Modifications:**

* [fix(audit): Merkle library infos
(#1597)](a98493f)
* [fix(L-01): prevent uninitialized roots from being used
(#1586)](30ec964)

**Result:**

Cleaner, safer code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ypatil12 ypatil12 ypatil12 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nadir-akhtar @ypatil12