Skip to content

Security Audit Checklist

This checklist guides security auditors through the SIP protocol codebase, highlighting critical areas for review.

packages/
├── sdk/ # Core SDK (PRIMARY AUDIT TARGET)
│ ├── src/
│ │ ├── commitment.ts # Pedersen commitments
│ │ ├── stealth.ts # Stealth addresses (EIP-5564)
│ │ ├── privacy.ts # Viewing keys
│ │ ├── intent.ts # Intent builder
│ │ ├── sip.ts # Main client
│ │ └── proofs/ # Proof providers
│ │ ├── interface.ts
│ │ └── mock.ts
│ └── tests/ # Test coverage
├── types/ # Type definitions
└── circuits/ # Noir ZK circuits
├── funding_proof/
├── validity_proof/
└── fulfillment_proof/
DependencyVersionPurposeAudit Status
@noble/curves^1.3.0ECC operationsAudited (Trail of Bits)
@noble/hashes^1.3.3Hash functionsAudited (Trail of Bits)
Noir1.0.0-beta.15ZK circuitsAztec-maintained
  1. createSIP() - SDK initialization
  2. intent() - Intent builder
  3. generateStealthKeys() - Key generation
  4. commit() - Commitment creation
  5. generateProof() - Proof generation

  • File: commitment.ts:generateBlinding()
  • Verify uses crypto.getRandomValues()
  • Check for rejection sampling (values >= curve order)
  • Verify no fallback to weak RNG
// Expected pattern
const bytes = crypto.getRandomValues(new Uint8Array(32))
// Should reject if >= curve order
  • File: stealth.ts:generateStealthMetaAddress()
  • Private key generation uses secure random
  • No key reuse between spending/viewing keys
  • Keys never logged or console.logged
  • Keys not stored in global state
  • Session storage cleared appropriately
  • File: stealth.ts:deriveStealthPrivateKey()
  • ECDH uses validated points
  • Hash output properly reduced mod n
  • No timing leaks in derivation
  • File: commitment.ts:getH() (or similar)
  • H is derived from hash-to-curve
  • Derivation is deterministic and documented
  • No discrete log relation to G is known
// Expected: H = try-and-increment over SHA-256("SIP-PEDERSEN-GENERATOR-H-v1:<counter>")
  • File: commitment.ts:commit()
  • Value range validation (0 ≤ v < n)
  • Blinding factor is fresh random or provided
  • Point multiplication is constant-time (via noble/curves)
  • File: commitment.ts:verifyOpening()
  • Recomputes commitment from opening
  • Uses constant-time comparison
  • Handles edge cases (zero value, etc.)
  • File: commitment.ts:addCommitments()
  • Point addition is correct
  • File: commitment.ts:subtractCommitments()
  • Handles identity point (result of C - C)
  • Blinding operations match commitment operations
  • File: stealth.ts:generateStealthMetaAddress()
  • Spending and viewing keys are independent
  • Public keys are correctly derived
  • Format matches EIP-5564 specification
  • File: stealth.ts:generateStealthAddress()
  • Ephemeral key is fresh random
  • ECDH performed correctly: S = r·K_view
  • Scalar derivation: s = H(S)
  • Address computation: P = K_spend + s·G
  • File: stealth.ts:checkStealthAddress()
  • View tag optimization is correct
  • Full verification when view tag matches
  • No information leakage in negative case
  • File: stealth.ts:deriveStealthPrivateKey()
  • Correctly computes: p = k_spend + H(k_view·R)
  • Result matches stealth address public key
  • No timing variance based on input
  • File: proofs/interface.ts
  • All proof types defined (funding, validity, fulfillment)
  • Input validation on all parameters
  • Error handling doesn’t leak sensitive info
  • File: proofs/mock.ts
  • Clearly marked as NOT FOR PRODUCTION
  • Cannot be accidentally used in production
  • Validates inputs even in mock mode
  • Directory: circuits/funding_proof/

    • Correct constraint on balance ≥ minimum
    • Commitment verification is sound
    • Public inputs properly defined
  • Directory: circuits/validity_proof/

    • Signature verification is correct
    • Nullifier derivation prevents replay
    • Time bounds enforced
  • Directory: circuits/fulfillment_proof/

    • Output amount ≥ minimum verified
    • Time bounds checked
    • Commitment correctly verified
  • File: intent.ts:IntentBuilder
  • All fields validated before building
  • Intent ID generation is unique
  • Privacy level correctly set
  • Intent hash covers all fields
  • Signature scheme is ECDSA (secp256k1)
  • Replay protection via nonce/nullifier
  • Signature verification before processing
  • Expiry time checked
  • Privacy requirements enforced
  • File: privacy.ts
  • Cannot derive spending key from viewing key
  • Hierarchical derivation is correct
  • Child keys cannot derive siblings/parents
  • TRANSPARENT: No privacy (baseline)
  • SHIELDED: Full privacy (commitments + stealth)
  • COMPLIANT: Privacy with viewing key disclosure
  • Errors don’t reveal sensitive data
  • Timing is uniform across error paths
  • No stack traces in production
  • All external inputs validated
  • Type checking enforced
  • Range checks for numeric values
  • tests/crypto/pedersen.test.ts - 29 tests
  • tests/crypto/stealth.test.ts - 21 tests
  • tests/proofs/mock-provider.test.ts - 21 tests
  • tests/integration/full-flow.test.ts - 16 tests
  • Zero values handled
  • Maximum values handled
  • Invalid inputs rejected
  • Constant-time ECC operations (noble/curves)
  • Constant-time comparisons for secrets
  • No early returns based on secret data
  • Keys zeroized after use (implemented v0.1.1)
  • No heap spraying vulnerabilities
  • Garbage collection considerations

SeverityDescription
CriticalDirect loss of funds or privacy
HighIndirect path to fund/privacy loss
MediumSecurity degradation
LowBest practice violations
InformationalSuggestions and notes
## Finding: [Title]
**Severity**: Critical/High/Medium/Low/Informational
**Location**: `packages/sdk/src/file.ts:line`
**Description**:
[Detailed description of the issue]
**Impact**:
[What could happen if exploited]
**Proof of Concept**:
[Steps or code to reproduce]
**Recommendation**:
[How to fix]

For questions during audit:

After audit completion:

  1. All Critical/High findings must be fixed
  2. Medium findings should be fixed or documented
  3. Re-audit of fixes recommended
  4. Public disclosure timeline agreed