Audit Report — OMEGA V4
Auditor: OMEGA Security Labs
Audit period: November 4 – December 20, 2025
Version audited: Covenant compiler v0.7.0-rc3
Report date: January 10, 2026
Status: All findings resolved ✓
Executive summary
OMEGA Security Labs conducted a comprehensive audit of the Covenant compiler, runtime library, and standard contract library. The audit covered:
- Covenant compiler (Rust codebase, ~48,000 LOC)
- EVM code generation backend
- FHE precompile integration layer
- ZK proof verification circuits
- Post-quantum signature verifier
- Cryptographic amnesia two-pass erasure protocol
- Standard library contracts (ERC-20, UUPS, Beacon, etc.)
41 findings were identified. All 41 have been resolved.
Finding summary
| Severity | Count | Resolved |
|---|---|---|
| Critical | 5 | 5 ✓ |
| High | 9 | 9 ✓ |
| Medium | 14 | 14 ✓ |
| Low | 9 | 9 ✓ |
| Informational | 4 | 4 ✓ |
| Total | 41 | 41 ✓ |
Critical findings overview
All 5 critical findings are described in detail in the Critical Findings page.
| ID | Title | Status |
|---|---|---|
| CVN-001 | FHE ciphertext malleability in fhe_add | Fixed in v0.7.0-rc5 |
| CVN-002 | Amnesia pass-1 randomness is predictable on low-entropy chains | Fixed in v0.7.0-rc5 |
| CVN-003 | UUPS _upgrade missing ERC-1822 magic check | Fixed in v0.7.0-rc4 |
| CVN-004 | PQ key registry bypass via zero-length signature | Fixed in v0.7.0-rc5 |
| CVN-005 | ZK verifier accepts proof for wrong circuit ID | Fixed in v0.7.0-rc5 |
Audit methodology
- Automated analysis — Slither, Semgrep, and OMEGA’s proprietary FHE taint-analysis tool
- Manual code review — line-by-line review of all compiler output paths
- Property-based fuzzing — 72-hour Echidna campaign on the standard library
- Formal verification — critical paths modelled in Lean 4; proofs machine-checked
- Differential testing — Covenant-generated bytecode compared against reference Solidity for 200 test cases
Recommendations implemented
All OMEGA recommendations were implemented before the V0.7 GA release:
- CEI enforcement: compiler now statically checks and rejects checks-effects-interactions violations unless explicitly overridden
- Reentrancy auto-detection: the LSP flags missing
@nonreentranton any action making external calls - FHE parameter validation: scheme-specific parameter bounds checked at compile time
- Amnesia log suppression: event emission inside
amnesia { }blocks now raises a compiler error
Full report
The complete 147-page report is available at: covenant-lang.org/omega-v4-audit.pdf