- Home
- Skills
- Multiversx
- Mx Ai Skills
- Multiversx Constant Time
multiversx-constant-time_skill
10
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill multiversx/mx-ai-skills --skill multiversx-constant-time- SKILL.md7.7 KB
Overview
This skill verifies that cryptographic operations execute in constant time to prevent timing attacks. It focuses on auditing code paths that handle secrets, secret comparisons, and other security-sensitive algorithms in smart contracts. Use it to produce clear findings and remediation steps when timing leaks are possible.
How this skill works
The skill scans code and review patterns that can introduce variable-time behavior: early returns, short-circuit booleans, branching on secret data, and data-dependent memory access. It recommends using VM-provided crypto primitives, ManagedBuffer equality, or well-tested constant-time primitives (like the subtle crate) and provides manual constant-time comparison patterns when necessary. It also includes verification techniques such as static searches for risky patterns and gas-based timing probes.
When to use it
- Auditing custom cryptographic implementations in smart contracts
- Reviewing secret or hash comparison logic (tokens, HMACs, signatures)
- Analyzing authentication, password, or PIN handling code
- Checking any code where execution time could leak secret data
- Preparing an audit report focused on timing-related vulnerabilities
Best practices
- Prefer built-in VM crypto functions (self.crypto().*) and VM hashing where available
- Use ManagedBuffer equality from the VM instead of DIY byte-by-byte early returns
- Avoid early returns, short-circuit &&/||, and branching on secret-dependent values
- Use constant-time primitives (subtle crate or vetted implementations) for manual comparisons
- When manual compare is needed, accumulate differences and test once (e.g., XOR/OR pattern)
Example use cases
- Audit a token verification function to replace early-return byte loops with ManagedBuffer equality
- Validate HMAC or signature verification paths to ensure comparisons are constant-time
- Review PIN/password checks and convert naive equality to XOR-based checks
- Search codebase for secret-dependent branches and array indexing to surface potential timing leaks
- Run gas-based probes to detect input-dependent gas variation as a proxy for timing differences
FAQ
ManagedBuffer equality is typically implemented by the VM and is the recommended default, but document assumptions and verify VM guarantees for your target runtime.
When should I write a manual constant-time compare?
Only when VM primitives are unavailable or you must compare raw byte slices; use well-known patterns (accumulate XOR/OR) or vetted crates that are compatible with no_std and WASM.