Skip to content

fix: TS bindings audit response (barretenberg#2426)#22362

Open
johnathan79717 wants to merge 5 commits intomerge-train/barretenbergfrom
jh/ts-bindings-audit-response
Open

fix: TS bindings audit response (barretenberg#2426)#22362
johnathan79717 wants to merge 5 commits intomerge-train/barretenbergfrom
jh/ts-bindings-audit-response

Conversation

@johnathan79717
Copy link
Copy Markdown
Contributor

@johnathan79717 johnathan79717 commented Apr 7, 2026
edited
Loading

Summary

Addresses all 7 findings from the TypeScript bindings audit AztecProtocol/barretenberg#2426: 1 medium, 4 low, 2 informational.

  • F1 (medium): Hardcode the G2 element (128 bytes, matching the C++ side which already uses get_bn254_g2_crs_element()), eliminating the G2 download/cache entirely. For G1, add spot-check verification of the first two compressed elements against known trusted setup values.
  • F2/F3 (low): Reject pending promise callbacks in async SHM backend on destroy() and unexpected process exit, matching the existing socket backend pattern.
  • F4/F5 (low): Add SIGKILL escalation timeout in sync SHM backend destroy() if SIGTERM doesn't terminate the process within 1 second.
  • I1 (informational): Use os.cpus().length (capped at 16) for HARDWARE_CONCURRENCY default instead of hardcoded 16.
  • I2 (informational): Replace response.body! non-null assertions with explicit null checks and descriptive errors.

Test plan

  • yarn build:esm compiles with no new errors
  • npx jest net_crs passes all 6 tests (G1 spot-check, hardcoded G2, integrity rejection)
  • CI passes

@johnathan79717
finding I2: replace non-null assertions on response.body with explici…
8df2170 
…t checks

streamG1Data/streamG2Data used `response.body!` which would crash
without a useful error if the response body was null. Add explicit
null checks with descriptive error messages.

Addresses I2 from AztecProtocol/barretenberg#2426.
@johnathan79717
finding I1: detect CPU count for HARDWARE_CONCURRENCY default
7e9b0b0 
The async shared memory backend hardcoded HARDWARE_CONCURRENCY to 16
when no thread count was specified. Use os.cpus().length (capped at 16)
to match the socket backend behavior.

Addresses I1 from AztecProtocol/barretenberg#2426.
@johnathan79717
findings F4/F5: escalate to SIGKILL if SIGTERM fails in sync SHM dest…
df1ab0c 
…roy()

The sync shared memory backend sent SIGTERM but never confirmed the
process actually exited. Add a 1-second timeout that escalates to
SIGKILL as a defensive measure. The timeout is unref'd so it won't
prevent Node from exiting.

Addresses F4/F5 from AztecProtocol/barretenberg#2426.
@johnathan79717
findings F2/F3: reject pending callbacks on destroy and unexpected exit
81c6d1d 
The async shared memory backend's destroy() killed the process without
rejecting pending promise callbacks, causing them to hang forever.
Also, if the process died unexpectedly, pending callbacks were never
notified. Add a rejectPendingCallbacks() helper (matching the socket
backend pattern) and call it from both destroy() and the process exit
handler.

Addresses F2/F3 from AztecProtocol/barretenberg#2426.
@johnathan79717 johnathan79717 added the ci-full Run all master checks. label Apr 7, 2026
@johnathan79717 johnathan79717 force-pushed the jh/ts-bindings-audit-response branch from 3cfbd1b to 0b0f96f Compare April 7, 2026 14:35
@johnathan79717
finding F1: add CRS integrity verification, hardcode G2 data
068dc49 
The G2 element is a fixed 128-byte constant from the trusted setup.
Rather than downloading and verifying it, hardcode it directly (matching
the C++ side which already uses get_bn254_g2_crs_element()). This
eliminates the G2 download, disk cache, and IndexedDB cache entirely.

For G1, add spot-check verification of the first two compressed elements
against known values from bn254_crs_data.hpp, after download and after
streaming to disk.

Addresses F1 from AztecProtocol/barretenberg#2426.
@johnathan79717 johnathan79717 force-pushed the jh/ts-bindings-audit-response branch from 0b0f96f to 068dc49 Compare April 7, 2026 16:53
@johnathan79717 johnathan79717 requested a review from ludamad April 7, 2026 16:55
ludamad
ludamad reviewed Apr 7, 2026
View reviewed changes
barretenberg/ts/src/crs/crs_integrity.ts
return true;
}

/**
Copy link
Copy Markdown
Collaborator

@ludamad ludamad Apr 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to do this when we also have HTTPS? But also It seems a little weird to have this logic outside of the BB API core call for srs init where we pass this data.

@ludamad
Copy link
Copy Markdown
Collaborator

ludamad commented Apr 7, 2026

Looks overall okay, mainly the one comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludamad ludamad ludamad left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ci-full Run all master checks.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnathan79717 @ludamad