Kudelski Security has done a review of Monero Bulletproofs, a specific type of range proof based on new cryptography by Benedikt Bunz et al. Bulletproofs is a trustless proofs setup that is substantially smaller than the current Borromean style range proofs that are currently used, promising to make Monero transactions 10-20% of their current size.

Kudelski found that the code was largely clean and that the C implementation that Monero has developed from the original Java code is suitable for use. Their findings did include 4 low severity bugs that have been patched, as well as a number of informational issues.


The bugs that were fixed:

  • BP-F-001: Unsafe use of environment variables
    Patch: This function no longer uses environment variables to set this value, as patched in commit 68f7606
  • BP-F-002: Lack of input validation in prover
    Patch: Input scalars are now checked to ensure they are within the proper range in the prove and verify routines, as patched in 68f7606
  • BP-F-003: Integer overflow in bulletproof L size computation
    Patch: Correct boundary checks have been added to avoid the overflow, as patched in commit 68f7606
  • BP-O-008: Undefined behavior shifting signed value
    Patch: The function has been rewritten using a ternary operator in commit 68f7606

This public disclosure of these vulnerabilities coincides with updates to the bulletproofs code which fixes all of the high priority concerns.

This is the first of two audits that are sponsored by Monero Research LabThe Monero CommunityPrivate Internet Access, and OSTIF. The second audit of Bulletproofs is being done by QuarksLab and the results will be released in the coming weeks.

If you would like to review the full audit the direct link is below: (please do not hotlink directly to the PDF, we would like visitors to come to the OSTIF site, it helps us gain more support for the cause, thank you!)
https://ostif.org/wp-content/uploads/2018/07/KudelskiBulletproofsFinal.pdf