Prysm
Summary
Quantstamp has reviewed the whole codebase of the Prysm ETH 2.0 client implementation. We have found a number of issues spanning all severity levels. Some of the high severity issues were resolved before completion of the review. Overall the code is well-written. There are many ways, however, in which it can be improved to follow best practices. For example, code clones are relatively common. Furthermore, despite being mostly self-documenting, inline code documentation is lacking. We have no doubt that it would be useful for future contributors. Despite being accompanied by the official ETH 2.0 documentation, the implementation is very nuanced and complex. The code does not always follow the specification (or it is not clear that it does). We found a number of issues that span both the specification and the implementation. Although we aggregated some of them in the "Adherence to Specification" section, they are of utmost importance and we highly recommend addressing each and every of them as if they were actual vulnerabilities. Finally, many pieces of the code lack unit tests, and hence, relatively low coverage. We highly recommend adding meaningful unit tests and improving the coverage to maximize code quality. **Update:** the team addressed almost all of the findings. Mapping between issues and solutions is present in [PR#6327](https://github.com/prysmaticlabs/prysm/issues/6327).
Issues (58)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 13 | 3 | 1 | - | 17 |
Fixed | 29 | 9 | 3 | - | 41 |
| Total | 42 | 12 | 4 | 0 | 58 |