Trail of Bits have gotten back to us with two reduced scope options to fit within the budget:
Option A
2 engineer-weeks:
A focused assessment of the cryptographic library against the paper without providing opinion on quality or correctness. This will ensure you are doing your due diligence:
- Review of the cryptographic library implementation and reconciliation against the Lelantus paper with a focus on:
- Confirming the code implements what the paper proposes
- Opinion on paper quality or correctness will not be provided
- Concerns around deanonymization
- Failure of the protocol/code that would allow coins to be created out of thin air (inflation)
- Provide a summary document at the end of the review with a short discussion of what was done, what was found, and the point in time maturity of the project
Option B
4 engineer-weeks:
Reviewing the cryptographic library and wallet implementation getting as much done as possible within the timeframe. The more time we have, the deeper we can dig. This review would include:
- Review of the cryptographic library implementation and reconciliation against the Lelantus paper with a focus on:
- Confirming the code implements what the paper proposes
- Opinion on paper quality or correctness will not be provided
- Concerns around deanonymization
- Failure of the protocol/code that would allow coins to be created out of thin air (inflation)
- Review of the wrappers around the secp256k1 code and integration with bitcoin core to verify that modifications do not allow arbitrary coin minting, et cetera
- Full report: 10+ page report that includes extensive detail on issues discovered
Personally I would of course prefer Option B.