Professionally Audited by Verichains

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Use GitHub Security Advisories to report vulnerabilities privately
3. Include detailed steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

• Description of the vulnerability
• Affected version(s)
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Integer arithmetic operations (u128, u256, i128, i256)
• Division and modulo operations
• Bit manipulation operations
• Type conversions
• Memory safety
• Buffer handling

• Third-party dependencies (report to respective maintainers)
• User implementation errors
• Development/test environment issues only

This library has undergone a comprehensive security audit by Verichains, a leading blockchain security firm with extensive experience in:

• Smart contract security audits
• Blockchain protocol assessments
• Cryptographic implementation reviews
• WebAssembly security analysis

The security audit covered the following areas:

• Overflow/underflow detection in arithmetic operations
• Division by zero handling
• Modulo operation edge cases
• Multiplication overflow scenarios
• Power function boundary conditions

• Shift operation bounds checking
• Rotate operations correctness
• Bitwise AND/OR/XOR/NOT operations
• Count leading/trailing zeros accuracy
• Population count correctness

• Safe narrowing conversions (u256 -> u128 -> u64)
• Sign extension correctness (signed types)
• String parsing validation
• Byte array serialization/deserialization

• Buffer bounds checking
• Immutable constant protection
• Clone operation integrity
• No uninitialized memory access

This fork addresses critical vulnerabilities found in the original as-bignum library.

When using this library, follow these guidelines:

// Always validate external input before conversion
if (inputString.length > 78) { // Max digits for u256
  throw new Error("Input too large");
}
let value = u256.fromString(inputString);

// Check for zero divisor
if (divisor.isZero()) {
  throw new Error("Division by zero");
}
let result = dividend / divisor;

// Use muldiv for multiplication followed by division to avoid overflow
let result = u128.muldiv(a, b, c); // (a * b) / c without intermediate overflow

// Use immutable versions for read-only access
let zero = u128.immutableZero; // More efficient, guaranteed unchanged

The full audit report from Verichains is available in the AUDIT directory.

• Security Issues: GitHub Security Advisories
• General Issues: GitHub Issues
• Website: opnet.org
• Auditor: Verichains

_{Security is a continuous process. This document will be updated as new audits are completed.}