Project Information
CATEGORY
Zero-knowledge
NETWORK
Aztec
WEBSITE
https://mach34.space/
DESCRIPTION
From Nov. 11, 2024 to Nov. 25, 2024, Mach34 engaged Veridise to conduct a security assessment of their Z-imburse. The security assessment covered smart contracts and zero-knowledge circuits written for the Aztec Network which enable receivers of grants (called “claimants”) to prove receipt of an email matching reimbursement conditions in order to automatically receive funds. Veridise conducted the assessment over 6 person-weeks, with 3 security analysts reviewing the project over 2 weeks. Due to the heavy use of Aztec-specific libraries and methodologies, Veridise engineers also investigated some of the Aztec protocol and standard library smart contracts invoked by Mach34 smart contracts.
Audit Report
SCOPE
The scope of this security assessment is limited to the some folders of the source code provided by the Z-imburse developers, which contains the Noir circuits and Aztec Network contract implementation of the Z-imburse. The Veridise analysts referenced Aztec Network and Noir source code to understand functions from dependencies, and referenced out-of-scope code as necessary to understand the application.
At the direction of the Mach34 team, Veridise did not focus on the functionality relating to the United reimbursements, and instead focused most efforts on the Linode reimbursements. The Veridise analysts reviewed the tests/ directory listed below for appropriate integration testing, but were unable to successfully run the full test suite due to errors with Aztec Network’s version 0.57.0 known to Mach34.