Lelantus Audit (PR #33)

A well audited and solid Lelantus implementation is critical for Zcoin. A vulnerability in Lelantus may result in a break of anonymity or hidden inflation of supply. We are seeking funds for a third party code audit of Lelantus cryptography and implementation.

While the core team has renewed development funding post halving, this comes into effect only in September and even then assuming similar market conditions, would have a significant impact on the Core Team’s reserve funds that are used to tide over challenging market conditions.

From our discussions with various code audit companies (for e.g. Trail of Bits, SmartDEC), a reasonably comprehensive review of the Lelantus cryptographic library and the wallet implementation code will cost around USD64,000. We will update this proposal from time to time to reflect the actual cost.

Scope of Audit

A smaller scope that just covers the implementation without going into the cryptography would be quite a bit cheaper but if the budget permits, it makes more sense to have a reasonable coverage of both.

We intend to cover the following in the audit but will subject to change depending on amount raised and finalized quotes.

  1. Lelantus cryptographic library
  2. Lelantus RPC functions
  3. Wallet functionality in relation to Lelantus
  4. Wallet database in relation to Lelantus
  5. Lelantus state
  6. Accepting Lelantus transactions into mempool, block connection and disconnection, etc
  7. Miner related changes
  8. Transaction and auxiliary structures
  9. HD Lelantus mints.
  10. Evaluation of Lelantus cryptography as described in paper

Timeframe

We hope to begin audit in July and the code review is espected to take about 2-4 weeks after which we will take another few weeks to incorporate the fixes as recommended by the audit. The results of the audit will be made public.

Excess Funds

Should the code audit be cheaper than anticipated, the balance will be kept for future code audits which may be required as we will be implementing Lelantus Direct Anonymous Payments after the initial deployment of Lelantus and/or our code bounty program.

Should the core team have excess funds we will also contribute towards this proposal and disclose these amounts.

Acknowledgement of Donation

Should you wish to be named as a donator in the audit, you can optionally let us know and we will include your name/organization name in any announcement relating to the Lelantus code audit.

GitHub

An audited of Lelantus is in the interest of everyone who owns Zcoin and believes in its vision.

I look forward to donatating.

1 Like

This audit would be very important to make sure the code is sound. Then it’s possible to dedicate the resources and time for exciting features.

An audit is vital for the continued unhindered operations of the project, this both from a logistical and technical standpoint.

On the operational side, a significant number of high-end exchanges, payment processors, services and funds are starting to filter the projects they work with through the “security” criterion which is defined as audits, and third party review. By being able to say that the Lelantus is both cryptographically and implementation secure, we can backstop any potential arguments about security brought up by previous incidents related to Zerocoin.

On the technical side, a security audit will provide vital insight on the current state of the implementation with the potential findings allowing for a more solid foundation in practice when developing atop, iterating and pressure testing the implementation.

Personally if it’s a choice between SmartDEC & Trail of Bits, I would lean toward Trail of Bits, I had the pleasure of attending their CEO, Dan’s talk at CESC in SF, and had the pleasure of being introduced to him recently, his team’s skillset in the arena of Zero Knowledge Proofs, Blockchain Audits, and General Code Healthiness is unparalleled. Their previous work in the space in relation to Zcash, and other projects in the privacy space act as a vouch. Their work with DARPA is also pretty relevant as well :).

Just to add, Trail of Bits came back with a more detailed code that recommended it be brought up to 6 engineer weeks which would mean 96k USD. We are in the process of exploring a reduced scope audit to bring it back to 4 engineer weeks and will update once we hear from them.

SmartDEC’s proposal would be significantly cheaper (5.5x cheaper) but would mainly cover coding practice, potential issues and correct implementation rather than the cryptographic security of Lelantus. The audit will be covered by Lenar Safin.

This is the scope of SmartDEC’s proposal:

  1. We will check the correctness of the implementation of the protocol,
  2. We will check the code in the fork (the crypto library and the implementation):
  • its correctness, reliability in support;
  • whether the code is following the best coding standards;
  • we will give the general recommendations regarding further development of the codebase;
  • as a side effect, we will check the dependencies and scan the overall system for the critical vulnerabilities using the automated analysis. Nevertheless, this won’t be the main aim of the audit and be more of a bonus.
  1. We will prepare the official private audit report in PDF format.
  2. After your development team fixes the issues we find in the private report, we check that the fixes are applied properly.
  3. After this we prepare the final retrospective public audit report that reflects the interaction of your team and SmartDec. You can check our latest public audit for Grin++ as an example of how the result looks like.

Trail of Bits Proposal is as follows:

  • Security review of the Customer source code through a combination of manual and automated review. Activities include but are not limited to:
    • Review of the Lelantus cryptographic paper and reconciliation of implementation against the proposed design with a focus on concerns around deanonymization
    • Review of the wrappers around the secp256k1 code and integration with bitcoin core to verify that modifications do not allow arbitrary coin minting, etc
    • Apply a comprehensive suite of tools to quickly and automatically uncover bugs
    • Review the architecture of the system for design flaws
    • Perform detailed manual code review
    • Review of cryptographic libraries, APIs, algorithms, and cipher modes
    • Review of possible weaknesses and exposure to cryptographic attacks
    • Identify security and correctness properties
  • Related services as requested by Customer or recommended by Trail of Bits
  • Best-effort guidance after the project. After the project concludes, Trail of Bits will make its best efforts to address security questions that arise via email

Funds permitting, I would prefer to go for a Trail of Bits audit purely because it addresses the main concerns we are worried about which is deanonymization and coin inflation due to bugs/flaws be it in code or cryptography. SmartDec’s proposal would probably cover the more obvious easy to find flaws but would possibly miss the type of attacks that we experienced with Zerocoin.

A quality audit is essential to the roll-out of Lelantus. Being that this is a much anticipated protocol I would lean towards the audit company that will address our main concerns. I’m not as technically savvy when it comes to these audit companies, but it seems the consensus so far is Trail of Bits (ToB). If ToB provides the quality audit we need I’d say we choose them.

I’m in support of a high quality audit. I don’t believe cheaping out on audits is appropriate. I’m no expert in audit firms but Trail of Bits, although an expensive option, seems like a great choice.

My only concern is whether we can raise enough for the ToB audit while the SmartDEC audit would almost certainly get funded.

Audit for such important “feature” is a must no matter the cost. For a privacy coin this should be prio nr1 so i totally support this.

In a public chatroom, Ian Miers, the co-author of Zerocoin and Zerocash actually said that “Assuming the crypto is right and audited(big assumptions), it’s [Lelantus] an interesting trade-off to Zcash, if done right”. Lelantus technology is groundbreaking and competitive and we should ensure that our code and implementation do justice to the technology which an audit by a top tier firm would help greatly.

Share the same sentiment as others. Very much look forward to contributing.

Thanks @Nakamoto-san! This is already up for funding at https://zcs.zcoin.io/proposals/lelantusaudit.html

Trail of Bits have gotten back to us with two reduced scope options to fit within the budget:

Option A
2 engineer-weeks:
A focused assessment of the cryptographic library against the paper without providing opinion on quality or correctness. This will ensure you are doing your due diligence:

  • Review of the cryptographic library implementation and reconciliation against the Lelantus paper with a focus on:
    • Confirming the code implements what the paper proposes
    • Opinion on paper quality or correctness will not be provided
    • Concerns around deanonymization
    • Failure of the protocol/code that would allow coins to be created out of thin air (inflation)
  • Provide a summary document at the end of the review with a short discussion of what was done, what was found, and the point in time maturity of the project

Option B
4 engineer-weeks:
Reviewing the cryptographic library and wallet implementation getting as much done as possible within the timeframe. The more time we have, the deeper we can dig. This review would include:

  • Review of the cryptographic library implementation and reconciliation against the Lelantus paper with a focus on:
    • Confirming the code implements what the paper proposes
    • Opinion on paper quality or correctness will not be provided
    • Concerns around deanonymization
    • Failure of the protocol/code that would allow coins to be created out of thin air (inflation)
    • Review of the wrappers around the secp256k1 code and integration with bitcoin core to verify that modifications do not allow arbitrary coin minting, et cetera
  • Full report: 10+ page report that includes extensive detail on issues discovered

Personally I would of course prefer Option B.

Hi Reubenyap,

Could I quote for this project to your email ?

Hi @golfreeze ! Yes you can e-mail me at [email protected]

However note that details of this quote will be shared to this Github as well for transparency.

Could you give us more info on your company as I do not see a security/audit focus or cryptography background on your website!