Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Nocturne>Threat Model>Analysis of the util circuits
GeneralOverview
Findings
High (2)
Low (3)
DiscussionGas tokens can be identified by index in OperationSchnorr signature documentation typoRedundant order-l check
Threat ModelWhat are threat models?BalanceManager.solCommitmentTreeManager.solDepositManager.solHandler.solTeller.sol
circuitsAnalysis of the JoinSplit circuitAnalysis of the util circuits
Audit ResultsSummary

Analysis of the util circuits

StealthAddrOwnership

  • Compute and constrain G = vk*H1 - H2.

  • Constrain that 8*G == 0.

VKDerivation

  • Constrain that vk = Poseidon(spendPubKey, vkNonce).

  • Constrain that vkbits is the bit decomposition of vk.

  • constrain that vk is less than the Baby Jubjub scalar field order.

IsOrderL

  • Compute Q = inv8*P where inv8 = (inv(8) mod l).

  • Constrain that 8*Q === P. This guarantees that ord(P) = ord(Q)/GCD(ord(Q), 8) so ord(P) is either l or 1.

  • Constrain that P is not the identity point.

Zellic © 2024Back to top ↑