Zecwallet Lite Security Updates and Review

Hi @adityapk00

The @ZcashGrants discussed this proposal today we have opted to put this proposal on hold, pending the questions below:

  1. The review will not cover the electron applications, the mobile applications or desktop applications, and as such will focus exclusively on the rust SDK code. This is a relatively small code base, and also seems to ignore a large portion of the risk profile of the wallet, so we were curious if you had inquired as to the cost to review those additional portions?

  2. We are not convinced that maintaining (and securing) a second distinct lite SDK is an efficient use of funds, especially given the current (and proposed future) overlap in the underlying dependencies, and the incomplete nature of the lite client protocol. Looking into the future, do you foresee a time when we could merge these 2 SDKs into one? And if so, do you still think it makes sense to invest significant resources now into this SDK instead of e.g. conducting a security review of electron or mobile applications and/or integrating the 2 SDKs?

Thank you for your proposal and we look forward to discussing this with you further.

3 Likes