Lelantus Audit (PR #33)

Just to give a quick update. First of all thanks so much to everyone who has donated thus far! The support you have shown has touched us.

We are still quite a long way from our target but we hope to raise more funds but we cannot wait too long on this so we’ve started going on a limited scope audit as follows:

We have engaged Trail of Bits for 2 engineer weeks to do a security review of the implementation of their privacy protocol Lelantus (lelantus.io) through a combination of manual and automated review. Activities include but are not limited to:

• Review of the cryptographic library implementation and reconciliation against the Lelantus paper with a focus on:
  • Confirming the code implements what the paper proposes
  • Opinion on paper quality or correctness will not be provided
  • Concerns around deanonymization
  • Failure of the protocol/code that would allow coins to be created out of thin air (inflation)
• Apply a comprehensive suite of tools to quickly and automatically uncover bugs
• Review the architecture of the system for design flaws
• Perform focused manual code review
  Security Engineers:
• Jim Miller - Tech Lead
• Will Song

This will cost us USD32,000

We have also engaged SmartDEC for the following:

• Wallet implementation and crypto library code without checking it for correctness (since this is covered by Trail of Bits)
  Audit will be carried out by Lenar Safin

This will cost us USD14,000

We are also in talks with two cryptographers who will work as a team to audit the Lelantus paper itself. They can begin in July. We are still in discussion of the fee but this is also really dependent on whether we can raise the necessary.

We are taking a risk here if the current donation level stays here as these will significantly exhaust the team’s rainy day fund leaving us a bit vulnerable to price shocks. Please do contribute what you can thank you!

Some updates, we evaluated the SmartDEC proposal again and they informed us that Lenar Safin is no longer available and proposed someone else. We decided against it for the moment and will prefer to engage Trail of Bits again budget permitting but are going ahead with the Trail of Bits proposal that will begin in mid July.

The fund raising is going well and we have converted it to about USD17,900 thereabouts and holding it in USDT for the moment. We hope we can hit our target!

Today we had the first kick-off meeting with Trail of Bits who are set to begin on the 13th and will take one week to do this (two engineers working on it so 2 engineer weeks) so set to complete maybe on the 20th or so.

We had some good feedback from the audit team and are resolving their findings! Once that’s done we will publish the report. There were no critical bugs though there were some moderate ones (albeit hard to exploit).

The reviewers found the protocol innovative and said that the code was very easy to understand so that’s pretty good validation as well.

Personally I am pretty pleased with the outcome.

If anyone has donated to the Lelantus audit fund and would like to be publicly acknowledged, please drop me a PM

We are pleased to share the results of the Lelantus cryptographic library audit by Trail of Bits!

The audit was substantially funded by community donations from the Zcoin Crowdfunding System (ZCS) and the balance from the Zcoin Development Fund.

https://zcoin.io/lelantus-cryptographic-library-audit-results/