Serpent Compiler Audit

The Augur team asked us to review and audit the Serpent compiler. We looked at the code and now publish our results.

The audited project can be found in the ethereum/serpent GitHub repository. The version used for this report is commit ad53fa2a8a496448d58ef9137959b4a1e86b14d7.

We have found the Serpent project to be of very low quality. It is untested, there’s very little documentation, and language design is very flawed. Serpent should not be considered safe to use unless many critical problems are fixed.

The full report can be found here, and a list summary of the issues ordered by severity can be found next.

Critical Severity

High Severity

Medium severity

Low severity

Conclusions

Eight critical security issues were found and explained, along with recommendations on how to fix them. Some additional changes were proposed to follow best practices and reduce potential attack surface.

We have found the Serpent project to be of very low quality. It is untested, there’s very little documentation, and language design is very flawed. Serpent should not be considered safe to use unless many critical problems are fixed.

Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Serpent compiler. We have not reviewed the related Augur project. The above should not be construed as investment advice or an offering of tokens. For general information about smart contract security, check out our thoughts here.