Audit reference
Protofire, March 2026, finding H02 — No Runtime Verification of External Data Contract Existence. Severity: High. Status at audit (19a65ffa): New.
What
LibDecimalFloatImplementation extcodecopys log table data directly from the configured address with no extcodesize check. EVM extcodecopy on an empty address copies zeros without reverting.
Impact
If the contract is deployed to a network where the Zoltu deterministic deployment of the log tables hasn't happened yet, every transcendental computation silently returns garbage. This is the same failure shape as #H01 but applies independently — even with H01 fixed (correct address constant), an unprovisioned chain still corrupts.
Recommendation
Add require(extcodesize(tablesDataContract) > 0, ...) (or revert with a typed error) in the data-retrieval path. Alternatively verify the codehash at runtime once at construction time using the LOG_TABLES_DATA_CONTRACT_HASH constant already in LibDecimalFloatDeploy.
Verification
Fork test on a chain that does NOT have the log tables deployed: call log10 and assert it reverts with the new guard.
Audit reference
Protofire, March 2026, finding H02 — No Runtime Verification of External Data Contract Existence. Severity: High. Status at audit (
19a65ffa): New.What
LibDecimalFloatImplementationextcodecopys log table data directly from the configured address with noextcodesizecheck. EVMextcodecopyon an empty address copies zeros without reverting.Impact
If the contract is deployed to a network where the Zoltu deterministic deployment of the log tables hasn't happened yet, every transcendental computation silently returns garbage. This is the same failure shape as #H01 but applies independently — even with H01 fixed (correct address constant), an unprovisioned chain still corrupts.
Recommendation
Add
require(extcodesize(tablesDataContract) > 0, ...)(or revert with a typed error) in the data-retrieval path. Alternatively verify the codehash at runtime once at construction time using theLOG_TABLES_DATA_CONTRACT_HASHconstant already inLibDecimalFloatDeploy.Verification
Fork test on a chain that does NOT have the log tables deployed: call
log10and assert it reverts with the new guard.