veric.audit/ hooks
All certified hooks

Bunni Liquidity Hook

PASSConformance
Ethereum0x7F4e8a23B6C19D2cF0aE51Bb4d8A9c3E2D17F60aExplorer TVL $48.2M (approx)

Don’t trust — verify

Re-check this certificate yourself with the open-source MIT checker. It pulls the live bytecode via eth_getCode, confirms it hashes to the pinned bytecode_hash, fetches and hashes the witness, replays the derivation locally, and prints PASS only if all hold — trusting nothing from veric.audit except the math.

tarski-verify-veric verify --cert ethereum-conformance.hook-cert.json
Checker: tarski-verify-veric@0.4.2tarski-verify-veric repo (MIT)

What this proves

  • For this exact bytecode on this chain, the cork-class access-control + state-transition property holds.
  • The specific failure shape that cost Cork Protocol ~$11M is provably absent — to the strength stated by the trust flavour.
  • The result is re-checkable by the open MIT tarski-verify-veric checker, trusting nothing from this site.

What this does NOT prove

  • That the hook is safe, bug-free, or audited overall.
  • Anything about reentrancy, oracle/MEV, donation, rounding, admin/upgrade, or economic-design risk.
  • Anything about a different bytecode, a different chain, or the surrounding protocol.
  • Liveness or fitness for purpose.
  • A guarantee over time — a proxy upgrade or redeploy voids this cert.

The certificate

Property
cork-class/access-control+state-transition
Verdict
PASS
Trust flavour
conformance
Analyzer
tarski-verify-veric@0.4.2 (3034b09)
Checked at
23 May 2026
Expires
Never on a clock — a bytecode change voids it
Bytecode hash (the pin)
sha256:9e1c4a7f0b2d8e35a16c94f7b3e0d2a85c47f1908b6e23d40a7c91f5e8d3b206

This cert is valid only for this exact bytecode. A proxy upgrade or redeploy changes the hash and voids the cert.

Raw .hook-cert.json (the exact bytes a re-checker consumes)
{
  "schema": "hook-cert/v1",
  "subject": {
    "kind": "uniswap-v4-hook",
    "chain": "ethereum",
    "address": "0x7F4e8a23B6C19D2cF0aE51Bb4d8A9c3E2D17F60a",
    "bytecode_hash": "sha256:9e1c4a7f0b2d8e35a16c94f7b3e0d2a85c47f1908b6e23d40a7c91f5e8d3b206"
  },
  "property": "cork-class/access-control+state-transition",
  "verdict": "PASS",
  "trust_flavor": "conformance",
  "analyzer": {
    "name": "tarski-verify-veric",
    "version": "0.4.2",
    "git": "3034b09"
  },
  "evidence": {
    "witness_uri": "veric.audit/witness/ethereum-conformance.json",
    "witness_hash": "sha256:af3c9012d7e54b8a1f60c2398e7d4ba5021f8c6e93d70a48b1c5e2f094a7d3b8"
  },
  "recheck": {
    "checker": "tarski-verify-veric",
    "checker_version": "0.4.2",
    "cmd": "tarski-verify-veric verify --cert ethereum-conformance.hook-cert.json"
  },
  "checked_at": "2026-05-23T18:42:11Z",
  "expires_hint": null
}

Witness

This is the re-checkable witness the cert points at — the artifact the trust rests on. You don’t trust this rendering; you trust the re-check. Confirm the bytes hash to the pin below.

witness_hashsha256:af3c9012d7e54b8a1f60c2398e7d4ba5021f8c6e93d70a48b1c5e2f094a7d3b8
{
  "schema": "hook-witness/v1",
  "cert_ref": "ethereum:0x7F4e8a23B6C19D2cF0aE51Bb4d8A9c3E2D17F60a",
  "analyzer": {
    "name": "tarski-verify-veric",
    "version": "0.4.2"
  },
  "trust_flavor": "conformance",
  "inputs": {
    "chain": "ethereum",
    "address": "0x7F4e8a23B6C19D2cF0aE51Bb4d8A9c3E2D17F60a",
    "bytecode_hash": "sha256:9e1c4a7f0b2d8e35a16c94f7b3e0d2a85c47f1908b6e23d40a7c91f5e8d3b206",
    "property": "cork-class/access-control+state-transition",
    "evm_semantics": "shanghai"
  },
  "derivation": {
    "method": "abstract-interpretation+state-machine-conformance",
    "steps": [
      {
        "id": "decode",
        "summary": "Lift bytecode to the typed CFG; recover the 14 hook callback entry points."
      },
      {
        "id": "access-control",
        "summary": "Prove every state-mutating callback is guarded by the PoolManager-only caller predicate; no unguarded external write path reaches hook storage."
      },
      {
        "id": "state-transition",
        "summary": "Prove the beforeSwap/afterSwap delta accounting cannot be re-entered or replayed to desync the settlement invariant (the cork-class failure shape)."
      },
      {
        "id": "conformance",
        "summary": "Confirm the bytecode conforms to the EVM semantics the proof is stated against; the conclusion is re-derivable end-to-end from this witness."
      }
    ],
    "conclusion": "PASS"
  }
}

This cert pins bytecode sha256:9e1c4a7f0b2d8e35a16c94f7b3e0d2a85c47f1908b6e23d40a7c91f5e8d3b206. If the contract is upgraded or redeployed, the pin no longer matches and the cert is pulled on the next pipeline run. A row disappearing is not a published statement about the hook.