Penumbra Security Audits Q3 2023

August 21, 2023
Summary

In summer of 2023, Penumbra Labs had two concurrent audits performed covering Penumbra’s cryptographic protocol design and zero-knowledge circuits.

We have completed implementation of the zero-knowledge circuits for the Penumbra protocol. We first described our in-progress work migrating to Groth16 proofs in our live testnets in this blog post from March 2023. As we approach mainnet and prepare to finalize the circuits for our setup ceremony, we commissioned two concurrent audits to identify and resolve issues with our cryptographic protocol design and implementation.

Audit Process

NCC Group previously audited our cryptographic primitives decaf377 and poseidon-paramgen last summer: you can see that full audit report here. We decided to work with them again this year for auditing our protocol and circuits. We also chose to run a second, concurrent audit, with the same scope, through zkSecurity, recently co-founded by David Wong.

The scope of the audit was:

  • Penumbra’s protocol design, primarily Penumbra’s multi-asset shielded pool, extended from ZCash Sapling,
  • the abstract statements to be proved in zero-knowledge as part of the protocol design, and
  • the implementation using Rust and Arkworks of the circuits for these proofs.

Findings

In summary, the ZKSecurity team found 10 issues, 5 of which were informational. The NCC Group team found 8 issues, 3 of which were informational. There was some overlap (2 issues) between the two audit results, resulting in a total of 16 issues, 8 of which were informational. Excluding the informational only issues, of the 8 security findings:

  • 1 was considered critical by NCC Group
  • 2 were considered high by zkSecurity
  • 2 issues discovered by both teams were considered high by zkSecurity and medium by NCC Group
  • 1 was considered medium by zkSecurity
  • 2 were considered low by NCC Group

Of those 8 issues found, the Penumbra Labs team considered the two highest impact bugs to be the “double spend” and “double vote” bugs (rated high by zkSecurity, see report items #0 and #1), each with clear paths to exploitation. As of time of publication, the Penumbra Labs team has resolved all issues higher than “informational” identified by either of the audit teams, and confirmed these fixes by subsequent follow-up review with both original audit performers. Details can be found in the audit reports, but we’d like to summarize the two critical findings and their resolution below.

In the double spend case, the derivation of the incoming viewing key done in-circuit was incorrect, allowing an attacker to generate multiple nullifiers for the same note, all of which would be considered valid by the verifier. Nullifiers are used to prevent double spends, so this effectively allowed an attacker to spend a note multiple times.

In the double vote case, Penumbra’s governance system did not properly check for duplicate nullifiers within a delegator vote transaction. This allowed an attacker to use the same note to vote as a delegator multiple times.

These issues and all other security issues identified by both audits have been fixed by the Penumbra Labs team, and the fixes to the security bugs were reviewed by the audit firms. The finalized circuits were released as part of testnet 59, Enceladus, on 2023-08-21.

Check out the full audit reports by zkSecurity here and NCC Group here.