Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Nocturne>Discussion>Redundant order-l check
GeneralOverview
Findings
High (2)
Low (3)
DiscussionGas tokens can be identified by index in OperationSchnorr signature documentation typoRedundant order-l check
Threat ModelWhat are threat models?BalanceManager.solCommitmentTreeManager.solDepositManager.solHandler.solTeller.solcircuits
Audit ResultsSummary

The StealthAddrOwnership implements redundant order-l check

In lib.circom, StealthAddrOwnership computes GG = vk * H1 - H2 and then applies the following constraints on GG:

(GG2X, GG2Y) <== BabyDbl()(GGX, GGY);
(GG4X, GG4Y) <== BabyDbl()(GG2X, GG2Y);
(GG8X, GG8Y) <== BabyDbl()(GG4X, GG4Y);

GG8X === 0;
GG8Y === 1;

But, since the input points to StealthAddrOwnership, H1 and H2 are already range checked to be in the order-l subgroup of the curve, these constraints are redundant and can be removed.

Zellic © 2024Back to top ↑