⚠️ This page is under construction and may not be factual. Presented as-is.
1

Code & Architecture Analysis

WIP

Visualizing the three core services of an ATProto application & their relationship to DRISL (Deterministic Representation for Interoperable Structures & Links)

Uses DRISL-CBOR
Critical Fuzz Target
High-Value Target
Medium Target
📱 AppView: Bluesky, Eurosky, Blacksky, etc.

Consumes firehose, processes records for its app
Validates Lexicons it cares about (e.g. app.bsky.feed.post, com.germnetwork.keypackage, etc.)

🔎 Search

Full-text indexing

📊 Feeds (& Feed Generators)

Algorithmic feeds (can be independent services)

🖼 Web Tiles (MASL)

Composable web apps rendered by AppViews

DRISL decode

🔍 Indexer

Decodes records, validates Lexicons, builds indexes

DRISL decode
↑↓ Firehose (WebSocket) — Each frame: DRISL-CBOR header + payload
Events: #commit, #sync, #identity, #account ↑↓
📡 Relay Layer

Aggregates PDS streams into single firehose

🌊 Firehose Aggregation

Combines all PDS streams

DRISL CAR slices

✅ Signature Verify

Validates commit signatures

SHA-256 CID

🔄 MST Inversion

Validates ops against prev state

DRISL CID
⚠️ Does NOT validate Lexicon schemas — passes through records
↑↓ Repo sync: CAR files with DRISL-CBOR blocks, #commit diffs ↑↓
🗄 PDS: BSKY.SOCIAL, EUROSKY.SOCIAL, BLACKSKY.APP, ETC.

Authoritative host for account repositories — stores records, MST, commits as DRISL-CBOR

📝 Record Encoding

Encodes records as DRISL-CBOR

DRISL-CBOR

🔐 Commit Signing

SHA-256 hash → Sign with key

SHA-256 CID

🌳 MST Structure

Merkle Search Tree for records

DRISL CID links

📦 CAR Export

getRepo endpoint

CAR v1

📥 CAR Import

importRepo for migration

CAR v1

🗃 Blob Storage

Images, videos (CID-addressed)

raw CID

📏 Protocol Size Limits (Fuzzing Boundaries)

blocks field: max 2,000,000 bytes
Single record: max 1,000,000 bytes
Ops per commit: max 200
Firehose frame: max 5 MBytes
CID size: recommended max 100 bytes
Nesting depth: use library defaults

🔄 DRISL Encoding Flow (Where Differential Bugs Hide)

User creates post │ ▼ ┌──────────────────────────────────────────────────────────────────┐ │ PDS: Encode as DRISL-CBOR │ │ record_bytes = drisl.encode({"text": "Hello", "$type": "..."}) │ │ record_cid = CID(sha256(record_bytes)) │ │ │ │ Update MST, create commit │ │ commit = {did, rev, data: mst_root_cid, prev: null} │ │ unsigned_bytes = drisl.encode(commit) │ │ sig = sign(sha256(unsigned_bytes), signing_key) │ │ signed_commit = {...commit, sig} │ │ commit_cid = CID(sha256(drisl.encode(signed_commit))) │ └──────────────────────────────────────────────────────────────────┘ │ ▼ Firehose #commit event (CAR slice with DRISL blocks) │ ┌──────────────────────────────────────────────────────────────────┐ │ RELAY: Verify signature, MST inversion │ │ parsed_commit = drisl.decode(blocks[commit_cid]) │ │ verify_sig(parsed_commit, did_doc.signing_key) │ │ inverted_mst = apply_ops_reverse(mst, ops) │ │ assert inverted_mst.root == prevData ← Different impl = bug! │ │ │ │ ⚠️ Does NOT validate Lexicon — passes record through │ └──────────────────────────────────────────────────────────────────┘ │ ▼ Passes to all subscribers │ ┌──────────────────────────────────────────────────────────────────┐ │ APPVIEW A (Bluesky, uses libipld) APPVIEW B (Graysky, uses atcute)│ │ record = libipld.decode(bytes) record = atcute.decode(bytes) │ │ │ │ If implementations disagree on edge cases: │ │ - Duplicate map keys │ │ - Non-minimal integer encoding │ │ - Integer boundaries (53-bit JS safe) │ │ - UTF-8 validation │ │ - Floats in data (should reject!) │ │ │ │ → Same CID, different interpreted content │ │ → Security bypass! │ └──────────────────────────────────────────────────────────────────┘

CRITICAL DRISL Encode/Decode

  • Foundation of all data integrity
  • Map key ordering (CBOR/c: lexicographic by encoded bytes)
  • Duplicate keys must be rejected (CBOR/c)
  • Integer encoding (minimal, 53-bit JS safe)
  • Floats: DRISL allows 64-bit, ATProto rejects all
  • UTF-8 string validation

CRITICAL NEW MST Inversion

  • Validates #commit ops by applying in reverse
  • Result must match prevData tree root
  • Key depth: SHA-256, count leading zeros in 2-bit chunks
  • Fanout of 4, lexicographic key sorting

CRITICAL Signature Verification

  • Hash DRISL-CBOR bytes with SHA-256
  • If DRISL encoding differs → hash differs
  • Valid signature could verify against wrong content
  • Or invalid signature could pass

CRITICAL CID Computation

  • CIDv1 + dag-cbor (0x71) + SHA-256
  • Must be identical across all implementations
  • Blessed format: base32 string encoding
  • Different CID = broken links, lost data

HIGH CAR Parsing

  • Account migration depends on CAR import
  • Multiple roots, block ordering
  • Duplicate blocks allowed
  • Dangling CID references possible

HIGH Firehose Frame Parsing

  • Two DRISL-CBOR objects per frame
  • Header (op, t fields) + Payload
  • High volume, must handle malformed data
  • Invalid framing = drop connection

MEDIUM Size Boundary Handling

  • 2MB blocks field limit
  • 1MB per record limit
  • 200 ops per commit limit
  • Edge cases at boundaries

HIGH Web Tiles (MASL)

  • User-generated DASL content
  • Runs in browser, needs consistent parsing
  • Your Goodreads tile is a real test case!
  • Cross-implementation rendering

🎯 DASLint Focus Areas

1. Differential Encoding

Compare: dag-cbrrr, libipld, atcute, go-ipld-prime, @ipld/dag-cbor

→ Current DASLint focus

2. Real ATProto Records

Seed from firehose, your tiles, production data

→ Realistic test corpus

3. MST Operations

Key depth calculation, tree structure, inversion

→ New target from audit

4. Malformed Input

Non-minimal encoding, invalid UTF-8, duplicate keys

→ DRISL rule violations

Sources: atproto.com/guides/glossaryatproto.com/specs/repositoryatproto.com/specs/syncatproto.com/specs/data-modelatproto.com/specs/event-streamdasl.ing/drisl.html
2

Fuzz Testing

Coming Soon

Coming soon.

3

Vulnerability Assessment

Coming Soon

Coming soon.