Over the next week or so, ECC engineers will be performing a paid audit of the zk circuits used in Penumbra.
In the interests of transparency (and because it is arguably a requirement of ZIP 1014), I’m making this post to let the Zcash community know that we’re doing this. Also for transparency, the request for this audit came from Henry de Valence, formerly of the Zcash Foundation.
Why are we doing this audit?
Penumbra is one of very few deployed multi-asset shielded protocols based on Sapling. By auditing it, we gain in-depth exposure to another “take” on such a protocol. Although the “vanilla ZSA” design is substantially complete, there are still many things we can learn from Penumbra. (Its Proof-of-Stake protocol supports private delegation of stake, and it has governance mechanisms based on stake-weighted voting, for example.) We can also get a feel for how circuits are written in another mature, widely used zk circuit framework, Arkworks.
Technically, we could do these things without the incentive of a paid auditing contract, but it is much less likely that we’d actually do so.
There is also the possibility of the Penumbra team being able to audit the ZSA circuits in the near future. For the same reason that the ECC team is a good choice to audit the Penumbra circuits, their team is also a good choice to audit ZSAs — in fact one of exceptionally few teams that will be able to do so with experience of having already designed and deployed a multi-asset shielded protocol. Note that the Qedit team, who performed invaluable audits of Sapling and Orchard, is not able to do a third-party audit of their own work for ZSAs.
Penumbra are on a relatively tight schedule to audit their circuits and restart their Phase 2 Groth16 setup, after a flaw was found in the first version. Because of this difference in timelines and to reduce the overhead of contractual negotiations, we decided to go ahead with the Penumbra audit now rather than to formally link it to a potential ZSA audit by them.
Is there any conflict of interest in ECC doing an audit for a competing project?
We don’t believe so. It is in the interest of users of all privacy-preserving payment protocols that the technology they use is perceived to be, and is actually, on solid ground. That is, a flaw in any such protocol might shake confidence in the others. So the incentives of Zcash and Penumbra users are aligned when it comes to ensuring that multi-asset shielded protocols in general, including Penumbra’s protocol and ZSAs, are robust and well-specified. Where we compete, it should be on other factors than whether our protocols meet their designed security goals.
The terms of the consulting agreement ensure that ECC is able to apply any conclusions we take from the audit to the Zcash protocol and/or ECC’s product development.
How much of ECC’s engineering resources will it take?
We expect that the audit will take 20 to 30 person-hours of ECC engineers’ time. I believe this won’t have an impact on ECC’s roadmap. And if the idea for Penumbra to audit ZSAs pans out, I believe that could accelerate ZSA deployment.
