Open Call to Review Azle's Security

Hello ICP developer community!

My name is Jordan Last, the leader of Demergent Labs, an independent company and DFINITY grantee which has been developing the Azle (TypeScript/JavaScript) and Kybra (Python) CDKs since 2022.

Azle is now in its release candidate phase and is edging ever closer to its 1.0 release. Azle 1.0 will indicate that Demergent Labs is confident in Azle’s use as a production-ready CDK on ICP.

As part of this process, Demergent Labs is undertaking its own in-depth internal security reviews. We would now like to invite the community to participate in reviewing Azle’s security. We invite you to participate in any depth or capacity which you would like. Please make sure to strictly follow Azle’s official security policy (e.g. sensitive findings must be kept private until addressed).

We are not offering monetary rewards nor compensation. Any work done would be strictly voluntary contributions to an open source project. At your discretion, we will publish your review under your name or username in the Azle GitHub repository. Even if you decide to remain anonymous, we do ask to be able to publish your findings after coordination with us to address them.

For any members of the community who decide to help us review Azle’s security, we are deeply grateful. Please help us to bring Azle to its 1.0 production-ready release. Thank you!

If you are interested, we are willing to work very closely with you to get you up-to-speed with the codebase, answer any questions, and guide you as needed during your review. If you’ve ever been interested in the lower-level workings of a CDK/SDK, this is a great opportunity for 1 on 1 guidance.

Below are some important resources for those interested. Please reach out to me (Jordan Last, lastmjs) at lastmjs@demergentlabs.org, @lastmjs on Telegram, or @lastmjs on X for further collaboration.

Azle GitHub repository: GitHub - demergent-labs/azle: A WebAssembly runtime for TypeScript and JavaScript on ICP

Scope: Azle’s stable mode, generally found in the src/stable directory: azle/src/stable at main · demergent-labs/azle · GitHub

I’m currently looking into this invitation. While exploring the codebase, I’ve found it quite extensive and impressive—but I’m still trying to get a clear picture of the overall toolchain and what gets transpiled and generated during the build and deployment process.

I understand that the transpilation from TypeScript to Wasm is done through Rust—are there any higher-level design documents, architectural overviews, or diagrams available that outline how this process works?

Thanks in advance for any guidance or pointers!

Bravo Jordan, Azle is finally almost at 1.0!

I will happily volunteer to review after we launch Satoshi Notes.

Thanks for diving in!

We have been working on a higher level architectural diagram, not yet merged into main. Give me some time today or at the latest tomorrow to post that information.

Amazing, very happy for your support

FYI hoping to get this out soon, I apologize for how long this is taking. It will be receiving its proper attention soon.

Is there a way to see the rust source code that is generated to create the wasm?

I am able to dump the javascript code as see it in wasm that is being deployed but I have not figured out where I can inject a copy function to get a copy of the rust code to support an audit or analysis.

Anyone familiar?

.

The Rust source code is not generated, it is static. It is located here: azle/src/stable/build/commands/build/wasm_binary/rust/stable_canister_template at main · demergent-labs/azle · GitHub

Alright it took far too long, I apologize.

But hopefully this will make up for it. The Azle architecture describes Azle’s stable mode, with explanations of the three main components that make up Azle, including sequence diagrams for important flows.

Let me know whatever questions you have!

Thank you. The sequence diagram is most helpful. It lays out the magic sauce with.clarity and is very consumable.