Project Information
CATEGORY
Zero-knowledge
NETWORK
Solidity
WEBSITE
https://semaphore.pse.dev/
DESCRIPTION
From Dec. 1 to Dec. 31, Semaphore engaged Veridise to review the security of their Groups v3. The review covered the Zero-Knowledge circuits and on-chain contracts that implement the protocol logic. Veridise conducted the assessment over 16 person-weeks, with 4 engineers reviewing code over 4 weeks. The auditing strategy involved a tool-assisted analysis of the source code performed by Veridise engineers as well as extensive manual auditing.
Audit Report
SCOPE
This audit reviewed the ZK circuits and on-chain behaviors of Semaphore Groups v3. As such, Veridise auditors first inspected the provided tests and documentation to better understand the desired behavior of the provided source code at a more granular level. They then began a multi-week manual audit of the code assisted by both static analyzers and automated testing. Finally, they formalized the intended behavior of the Semaphore circuit and formally verified it with the help of Coda.
In terms of the audit, the key components include the following:
- The main Semaphore contract
- The zk-kit Incremental Merkle Tree implementation
- The Semaphore whistleblowing and voting extensions
- The Semaphore ZK circuit