Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Fairyring>Design>Pre-execution privacy (PEP)
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)
Low (2)
Informational (1)
DiscussionRisks of executing messages in BeginBlock
DesignKeysharePre-execution privacy (PEP)Lanes
Audit ResultsAssessment Results

Pre-execution privacy (PEP)

The PEP module manages execution of encrypted transactions. It requests keys for decrypting the transactions from the keyshare module, which may reside on either the same chain or a different chain.

Invariants

Encrypted transactions must have their gas fees prepaid by their creators.

Test coverage

The individual messages are tested in Go unit tests, and flows involving sequences of messages are tested against a local devnet by scripts/tests/pep.sh.

Attack surface

MsgUpdateParams

The MsgUpdateParams message updates the parameters of the keyshare module.

  • It must be signed by the keeper's Authority, which is initialized to the PEP module's module address.

  • It validates that the TrustedAddresses is a list of Bech32-encoded addresses; that the TrustedCounterParties each have nonempty channel IDs, connection IDs, and client IDs; that the keyshare channel ID is nonempty; that the MinGasPrice and PrivateDecryptionKeyPrice are positive; and that the IsSourceChain field is of type bool.

MsgSubmitEncryptedTx

The MsgSubmitEncryptedTx message submits an encrypted transaction for execution at a target height.

  • The target height must be ahead of the current block height or ahead of the latest source block height if another chain is the source chain.

  • The target height must not exceed the expiry of the queued public key, or of the active public key if no queued public key is present.

  • The creator's address must be Bech32 encoded.

  • The PEP module transfers a gas prepayment from the creator to itself, and the encrypted transaction is stored keyed by the height.

MsgSubmitGeneralEncryptedTx

The MsgSubmitEncryptedTx message submits an encrypted transaction for a general encrypted identity.

  • The identity must be present in the PEP module's state.

  • The creator's address must be Bech32 encoded.

  • The PEP module transfers a gas prepayment from the creator to itself, and the encrypted transaction is stored in the identity's transaction queue.

MsgSubmitDecryptionKey

The MsgSubmitDecryptionKey message submits a decryption key on non-source chains.

  • If IsSourceChain is set, an error is returned.

  • The signer must be in the PEP module's list of TrustedAddresses.

  • There must be a nonempty active public key in the PEP module's state.

  • The provided decryption key must be able to decrypt the string "test data" encrypted towards the active public key.

  • If the trial decryption succeeds, the decryption key is stored, and the latest height from the source chain is stored.

MsgRequestGeneralIdentity

The MsgRequestGeneralIdentity message submits a request for a general identity.

  • A request for the specified creator and ID must not already exist.

  • If this chain is the source chain, an entry for the requested identity is stored.

  • If another chain is the source chain, a RequestDecryptionKeyPacket for the requested identity is sent to the source chain.

MsgRequestGeneralDecryptionKey

The MsgRequestGeneralDecryptionKey message submits a request for a decryption key for a general identity.

  • An entry for the identity must exist, and the entry's creator must be the signer.

  • If this chain is the source chain, the decryption key request is stored.

  • If another chain is the source chain, a GetDecryptionKeyPacket is sent to the source chain.

MsgRequestPrivateIdentity

The MsgRequestPrivateIdentity message submits a request for an identity with encrypted keyshares.

  • A request for the specified creator and ID must not already exist.

  • If this chain is the source chain, an entry for the request is stored.

  • If another chain is the source chain, a RequestPrivateDecryptionKey packet is sent to the source chain.

MsgRequestPrivateDecryptionKey

The MsgRequestPrivateDecryptionKey message submits a request for encrypted keyshares.

  • The identity for the request is created if it does not already exist.

  • The creator's address must be Bech32 encoded.

  • The PEP module transfers the PrivateDecryptionKeyPrice to itself.

  • If this chain is the source chain, an entry for the request is stored.

  • If another chain is the source chain, a GetPrivateDecryptionKeyPacket packet is sent to the source chain.

MsgRegisterContract

The MsgRegisterContract registers a WASM contract for execution when a specified identity's decryption key is made available.

  • The contract's address must be Bech32 encoded, and a contract must have been instantiated at it.

  • The signer must be the contract's admin and creator.

  • There must not already be a scheduled execution of the contract at the specified identity.

  • The contract is scheduled for execution in the specified identity's queue.

MsgUnregisterContract

The MsgUnregisterContract unregisters a previously registered WASM contract.

  • The contract's address must be Bech32 encoded, and a contract must have been instantiated at it.

  • The signer must be the contract's admin and creator.

  • The specified identity's list of scheduled contracts is scanned, and if the specified contract is found, it is removed.

Zellic © 2025Back to top ↑