Sismo: Commitment Mapper audit report
Project Information
CATEGORY
Zero-knowledge, TypeScript
NETWORK
AWS Lambda
WEBSITE
https://www.sismo.io/
DESCRIPTION
From Mar. 21, 2023 to Apr. 4, 2023, Sismo engaged Veridise to review the security of their Sismo Commitment Mapper. The review covered the implementation of the Sismo Commitment Mapper service, a web application that allows a user to construct a cryptographic signature that proves their identity. This “proof-of-identity” can then be used with Sismo’s ZK circuits, one of which Veridise also covered in a security review in parallel. Veridise conducted the assessment over 4 person-weeks, with 2 engineers reviewing code over 2 weeks. The auditing strategy involved a tool-assisted analysis of the source code performed by Veridise engineers as well as extensive manual auditing.
Audit Report
SCOPE
The scope of this audit is limited to the src folder of the source code provided by the Sismo developers, which contains the TypeScript implementation of the Sismo Commitment Mapper. While other files were included in the source code, they were not in the scope of the audit. During the audit, the Veridise auditors referred to the excluded files but assumed that they have been implemented correctly.