Zendoo Source Code Audit 2021
The Horizen team is committed to the security and safety of our users as we aim to develop the most secure, interoperable blockchain ecosystem.
As part of the commitment to the security and safety of our users, we elicited the support of two expert IT security agencies. Each agency was selected based on their functional expertise.
The first agency selected was Coinspect, an industry leader in Bitcoin security services. Coinspect previously audited the Zcash and Horizen code base. Coinspect’s follow-on audit was performed on the Zendoo software upgrade (ZEN 3.0.0). Zendoo is the largest and most significant upgrade of the Horizen network. Zendoo is Horizen’s scaling solution that fosters an ecosystem of independent blockchains and dapps by allowing developers to build custom zero-knowledge-enabled public or private blockchains with scalability and flexibility unmatched by others. Because of this, it is critically important that the source code and cryptography meet the highest standards.
Vulnerabilities within cryptographic operations are often obscure and poorly understood, which is why Horizen brought on the second agency, NCC Group, to audit Zendoo’s proof verifier. NCC Group is a leader in cyber security and cryptography.
Finally, to round out Zendoo’s robustness, Horizen partnered with HackerOne to continuously incentivize friendly hackers to test the security of Zendoo.
About the Zendoo Source Code Audit
The objective of the audit was to review the Zendoo source code and examine the new code modifications introduced by Zendoo to incorporate the ability of the Horizen mainchain to interact with multiple sidechains. This audit enabled Coinspect to identify and attempt to exploit security vulnerabilities that might allow adversaries to attack the Horizen mainchain or the sidechains and the funds secured by them
Coinspect found no critical-risk vulnerabilities in the Zendoo source code. The audit findings included 4 risk items. The items identified in the audit were corrected by the Horizen team. No other risk items were located during this audit:
- Critical Risk: 0
- High Risk: 4 (4 Fixed)
- Reachable assertion allows attackers to hijack the network DoS attack by improper handling of compressed data
- Sidechain certificates enable mainchain resource exhaustion attacks
- DoS attack by improper handling of compressed data
- Ceased sidechains enable mainchain resource exhaustion attacks
- Medium Risk: 0
About the Zendoo Proof Verifier Cryptography Review
The objective of this audit was to conduct a cryptography review of Zendoo’s proof verifier. This system generates and verifies modified Marlin proofs. The system also provides optimized batch verification of accumulated proofs. The review included supporting elements for the proof system, such as the underlying field arithmetic, instantiations of specific elliptic curves, a custom hash function, and optimized Merkle Tree implementations.
The NCC Group team found no critical-risk vulnerabilities in Zendoo’s proof verifier. They reported 22 items during the course of the audit. The identified items were either fixed after the review or identified as not a risk or false positives.
- Critical Risk: 0
- High Risk: 3 (3 Fixed)
- Missing Polynomial Normalization after Arithmetic Operations
- Batch Proof Verification Bypass
- Incorrect Random Polynomial Generation
- Medium Risk: 4 (2 fixed, 1 false positive, 1 non-risk)
- Missing Length Check in Canonical Deserialization
- No Domain Separation in Merkle Tree Implementation
- Merkle Leaf Nodes Not Zeroed on Reset
- Incorrect Hiding Bound in Labeled Polynomial Commitment
- Low Risk: 12 (9 fixed, 2 false positive, 1 non-risk)
- Secure Rust Best Practices Not Always Followed
- Misleading Modular Reduction Function
- Potential Panic with Zero-Division
- Outdated and Vulnerable Rust Dependencies
- Insufficient Parameter Checks in Multi-Scalar Multiplication
- Insufficient Parameter Validation in Merkle Tree Implementation
- Potential DoS via Memory Exhaustion in Merkle Tree Instantiation
- Incoherence in Poseidon Round Number Parameters
- RNG Implementation Non-Compliant with Rust Documentation
- Ambiguous Fiat-Shamir Oracle Instantiation and Input Serialization
- Discrepancy with Reference Paper on Random Challenge Domain
- Undefined Behavior in Foreign Function Interface
- Informational: 3 (1 fixed, 2 non-risk)
- Non Constant-Time Modular Exponentiation
- Missing Memory Zeroization
- Potential to Randomly Generate Trivial Random Challenges
- Read the full Zendoo Audit
- Read the full Zendoo Cryptographic Elements Audit
Horizen is partnering with hackathon projects, including HackerOne, to perform hackathons of the Zendoo platform. These hackathons will ensure the robustness of our ecosystem. The HackerOne hackathon is now public. Join HEAP to get notifications and updates on the event.