Zellic - Audit Reports

Assessment reports Public findings

Back to Zellic siteBack

Assessment reports>Nocturne>Threat Model>Analysis of the util circuits

GeneralOverview

Findings

Informational (1)

DiscussionGas tokens can be identified by index in Operation Schnorr signature documentation typo Redundant order-l check

Threat ModelWhat are threat models?BalanceManager.sol CommitmentTreeManager.sol DepositManager.sol Handler.sol Teller.sol

circuits Analysis of the JoinSplit circuit Analysis of the util circuits

Audit ResultsSummary

Analysis of the util circuits

StealthAddrOwnership

Compute and constrain G = vk*H1 - H2.
Constrain that 8*G == 0.

VKDerivation

Constrain that vk = Poseidon(spendPubKey, vkNonce).
Constrain that vkbits is the bit decomposition of vk.
constrain that vk is less than the Baby Jubjub scalar field order.

IsOrderL

Compute Q = inv8*P where inv8 = (inv(8) mod l).
Constrain that 8*Q === P. This guarantees that ord(P) = ord(Q)/GCD(ord(Q), 8) so ord(P) is either l or 1.
Constrain that P is not the identity point.

Zellic © 2025Back to top ↑