SECURING THE FUTURE OF ZK PROOFS & ETHEREUM SCALABILITY

In-Depth Audit of Aligned Layer’s Smart Contracts and Batch Processing

At FuzzingLabs, we recently completed a comprehensive security audit of Aligned Layer, a decentralized network designed to provide fast, efficient, and low-cost verification of zero-knowledge (ZK) and validity proofs on the Ethereum blockchain. This post summarizes the key findings of our audit, with a focus on the protocol’s strengths and the vulnerabilities we uncovered. Additionally, we’ll introduce the Eigen Layer, an integral component of the system, and discuss how it strengthens Ethereum’s security using proof-of-stake mechanisms.

aligned layer fuzzinglabs security audit bugs vulnerability eigen layer

What is Aligned Layer?

Aligned Layer is a cutting-edge solution aimed at enhancing Ethereum’s scalability by offloading verification processes off-chain. It overcomes the inherent limitations of traditional blockchain verification systems, which tend to be slow and expensive due to the need for nodes to re-execute every transaction. Aligned Layer speeds up the process by enabling faster proof verification—up to 2,500 proofs per second—using Ethereum’s proof-of-stake (PoS) security model.

The platform operates in two modes:

  1. Fast Mode: A subset of Ethereum validators verify proofs in parallel, achieving a consensus and posting results on Ethereum.
  2. Aggregation Mode: The system compresses multiple proofs, optimizing large-scale verification.
aligned layer fuzzinglabs security audit bugs vulnerability eigen layer findings vulnerability arichitecture
Core Components of Aligned Layer

Eigen Layer Integration

Aligned Layer leverages Eigen Layer, a middleware protocol for Ethereum. It enhances Ethereum’s security by enabling off-chain computations to be verified and secured by the Ethereum PoS validators.

Eigen Layer’s design enables Aligned Layer to handle a significant number of transactions while ensuring trustless verification, making it a powerful tool for zk-rollups, identity protocols, and decentralized applications (dApps) requiring high throughput and low latency.

Aligned Layer Security Audit Recap

Our audit for Aligned Layer focused on critical components such as smart contracts, the Batcher, Operator, and Aggregator

  • Number of Vulnerabilities Identified: 28
  • Severity Levels: Ranging from Critical to Informational, these issues spanned categories such as Denial of Service (DoS), race conditions, and access control flaws.
  • Interesting Findings:
    • MEV Aggregator Fee Vulnerability: We identified a frontrunning risk where an attacker could exploit the gas price to extract all the batcher’s balance.
    • OOM Operator Issue: An out-of-memory (OOM) vulnerability was found in the Operator component, where crafted gzip HTTP responses could exhaust memory, leading to a DoS attack.
    • OOM Explorer: Similarly, the Explorer component was vulnerable to OOM attacks, triggered by reading response bodies without limits.
aligned layer fuzzinglabs security audit bugs vulnerability eigen layer findings
Vulnerabilities sorted by severity
aligned layer fuzzinglabs security audit bugs vulnerability eigen layer findings vulns
Vulnerabilities sorted by type

Audit Specifics: No Scope Limitations

One of the key strengths of this audit was its full white-box nature, with no scope limitations. This gave us full access to the Aligned Layer codebase and architecture, allowing a deep dive into its security posture. A significant focus was placed on smart contracts, a critical component in ensuring the security of blockchain-based platforms. We also developed custom fuzzing tools, automating vulnerability detection for key components.

Strengths of Aligned Layer

Despite the identified vulnerabilities, Aligned Layer demonstrated notable strengths:

  • High Throughput: Its ability to handle over 2,500 proofs per second positions it as a leading platform for zk-proof verifications.
  • Ethereum’s PoS Security: By building on Ethereum’s PoS system, Aligned Layer ensures robust security through trusted validators.
  • Batch Processing Capabilities: The platform efficiently manages large numbers of proofs and transactions, making it scalable for various decentralized applications.
Moreover, the Aligned Layer team responded promptly to our findings. They were not only quick in addressing the reported issues but also highly attentive to our feedback. Throughout the audit process, the team remained in tune with our recommendations and demonstrated a strong commitment to improving the platform’s security. Their receptiveness and proactive collaboration ensured that the vulnerabilities were fixed efficiently, reinforcing the platform’s robustness.

Conclusion

Our audit of Aligned Layer highlighted both the potential and the challenges of this innovative protocol. While we uncovered a number of vulnerabilities, the swift and attentive response from the Aligned Layer team underscores their commitment to security and transparency. Their ability to address issues rapidly, combined with the protocol’s impressive throughput and integration with Ethereum’s proof-of-stake system, positions Aligned Layer as a leading solution in the zk-proof verification space.

For more details on our findings and the security recommendations for Aligned Layer, you can view the full audit report.

Patrick Ventuzelo / @Pat_Ventuzelo

Nabih Benazzouz / @Raefko

Mohammed Benhelli / @MohammedBenhelli

 

About Us

Founded in 2021 and headquartered in Paris, FuzzingLabs is a cybersecurity startup specializing in vulnerability research, fuzzing, and blockchain security. We combine cutting-edge research with hands-on expertise to secure some of the most critical components in the blockchain ecosystem.

Contact us for an audit or long term partnership!

 

Get Your Free Security Quote!

Let’s work together to ensure your peace of mind.

Keep in touch with us !

email

contact@fuzzinglabs.com

X (Twitter)

@FuzzingLabs

Github

FuzzingLabs

LinkedIn

FuzzingLabs

email

contact@fuzzinglabs.com

X (Twitter)

@FuzzingLabs

Github

FuzzingLabs

LinkedIn

FuzzingLabs