Skip to content

Commit

Permalink
vb spelling
Browse files Browse the repository at this point in the history
  • Loading branch information
@nullity00
nullity00 committed Jun 28, 2024
1 parent 119a976 commit b0f71b4
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 54 deletions.
24 changes: 6 additions & 18 deletions versionA.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ From the user's point of view, they only see a promise from the centralized enti

Summa takes an approach that focuses on binding the custodian to a certain claim about the sum of their liabilities to their users, and subsequently leveraging zero-knowledge and cryptographic primitives to prove that the assets under their control are equal or exceed that sum of liabilities. In other words, rather than focusing on proving reserves, as in "we the entity control the private key(s) of wallets holding the pooled deposits of users", Summa focuses on binding liabilities, as in "we the entity prove to each user that their balance is included in calculating a grand sum of all liabilities, and we prove control of wallets that contain funds equal or exceeding that aggregated balance of liabilities".

Summa’s 2-sided mechanism that overall provides a proof of solvency of an entity provides two useful proofs:
Summa’s two-sided mechanism that overall provides a proof of solvency of an entity provides two useful proofs:

(a) **Proof of grand sums**: the centralized entity submits a public cryptographic [commitment](https://github.com/summa-dev/summa-solvency/blob/52373464b7ac4e76f7601cd51a10f84655ad387f/contracts/src/Summa.sol#L144) claiming the sum of each asset in wallets it controls is greater than or equal a _claimed_ total sum of _liabilities_ to its users in that asset. In the KZG-based Version B of the protocol, a [proof is attached](https://github.com/summa-dev/summa-solvency/blob/fec83a747ead213261aecfaf4a01b43fff9731ee/contracts/src/Summa.sol#L230) to the commitment attesting it was calculated correctly.

Expand Down Expand Up @@ -144,7 +144,10 @@ The security audit of the Summa Proof of Solvency protocol encompassed a compreh
The audit employed a blend of automated tools and manual examination conducted by the fellows and residents. Techniques included detailed code reviews, static and dynamic analysis, fuzzing, and penetration testing to ensure a thorough validation of the protocol’s security measures.

- **Tool Integration:**
The audit utilized several specialized tools, each tailored to assess different aspects of the protocol: - **Halo2-analyzer**: Verified all circuit constraints. - **Polyexen-demo**: Standardized circuit formats for clarity and reusability. - **Highlighter**: Identified potential code issues needing closer examination. - **NPM and Cargo Audits**: Checked dependencies for known vulnerabilities. - **Clippy**: Ensured Rust code quality and best practices.
The audit utilized several specialized tools, each tailored to assess different aspects of the protocol:
- **Halo2-analyzer**: Verified all circuit constraints.
- **Polyexen-demo**: Standardized circuit formats for clarity and reusability.
- **Misc Tools**: Utilized Highlighter to identify potential code issues, conducted NPM and Cargo Audits to check for vulnerabilities, and Clippy to ensure Rust code quality and best practices.
- **Analytical Techniques:**
The audit encompassed both static and dynamic analyses to provide a comprehensive security assessment: - **Static Analysis**: Examined the source code for vulnerabilities without execution. - **Dynamic Analysis**: Tested the protocol in operation to identify runtime issues.
- **Expert Review:**
Expand All @@ -167,7 +170,7 @@ yAcademy and the auditors make no warranties regarding the security of the code
| Category | Mark | Description |
| ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Mathematics | Good | No significant mathematical components were involved |
| Complexity | Good | The code is easy to understand and closely follow the specification |
| Complexity | Good | The code is easy to understand and closely follows the specification |
| Libraries | Low | Although no serious issues have been found in the dependencies, the codebase makes use of unaudited versions of [halo2](https://github.com/summa-dev/halo2) , [halo2-kzg-srs](https://github.com/han0110/halo2-kzg-srs), and [halo2-solidity-verifier](https://github.com/summa-dev/halo2-solidity-verifier), which is not recommended for production |
| Cryptography | Good | Merkle Sum Trees inherit strong cryptographic properties from the hash functions used. Here, the codebase makes use of the Poseidon hash function known for its efficiency, zk-friendliness, and resistance against various cryptanalytic attacks. Even with a change in its magic numbers, the hash function yields a security of `127 bits`. However, it's essential to note that cryptographic algorithms and functions are always subject to ongoing analysis, and new attacks or weaknesses may be discovered in the future. |
| Code stability | Good | The code was reviewed at a specific commit. The code did not change during the review. Moreover, it is not likely to change significantly with addition of features or updates |
Expand Down Expand Up @@ -554,18 +557,3 @@ We raised the following pull requests to increase code coverage & emphasize test
- [PR#17](https://github.com/zBlock-2/summa-solvency-schneier/pull/17) to add end-to-end testing with full prover and verifier (instead of mock prover).
- [PR#8](https://github.com/zBlock-2/summa-solvency-schneier/pull/8/files) to include cost estimation for circuits using `CircuitCost`
- [PR#5](https://github.com/zBlock-2/summa-solvency-schneier/pull/5) is a stress test to determine the potential gas limits of `Summa::submitCommitment()`
### [Methodology](#methodology)
The audit employed a blend of automated tools and manual examination conducted by the fellows and residents. Techniques included detailed code reviews, static and dynamic analysis, fuzzing, and penetration testing to ensure a thorough validation of the protocol’s security measures.
- **Tool Integration:**
The audit utilized several specialized tools, each tailored to assess different aspects of the protocol: - **Halo2-analyzer**: Verified all circuit constraints. - **Polyexen-demo**: Standardized circuit formats for clarity and reusability. - **Misc Tools**: Utilized Highlighter to identify potential code issues, conducted NPM and Cargo Audits to check for vulnerabilities, and Clippy to ensure Rust code quality and best practices.
- **Analytical Techniques:**
The audit encompassed both static and dynamic analyses to provide a comprehensive security assessment: - **Static Analysis**: Examined the source code for vulnerabilities without execution. - **Dynamic Analysis**: Tested the protocol in operation to identify runtime issues.
- **Expert Review:**
We conducted in-depth manual reviews to evaluate complex components and integrations, providing a crucial layer of scrutiny beyond automated tools.
- **Feedback and Improvements:**
An iterative feedback loop with the Summa’s development team allowed for the immediate addressing and re-evaluation of any issues found, ensuring all fixes were effectively implemented.
- **Documentation:**
Each phase of the audit was thoroughly documented, with detailed reports on tool outputs, expert insights, and overall findings, culminating in a comprehensive final report that outlined vulnerabilities, impacts, and recommended actions.
Loading

0 comments on commit b0f71b4

Please sign in to comment.