Summary
The most critical subjects covered in our audit of the circuits are soundness, completeness and zero-knowledge. Several critical issues have been uncovered including:
• Missing constraint on pubkey allows for double spending
• Incorrect exclusion proof circuit allows for double spending
• Multiple Valid Account Trees / Public States after applying the same block
The latest iteration covers refinements in the core circuits, refactored withdrawal circuits and the new claim circuits.
The reviewed code is well-structured and properly documented. Although testing has been continuously enhanced, a thorough stress test on a public testnet is recommended before mainnet launch due to the project’s cutting-edge nature. The circuits are part of Intmax 2, a system which consists of multiple interacting parts. The rollup is managed by a set of smart contracts which have been audited in the ChainSecurity Intmax 2 Smart Contract Audit Report.
In summary, we find that the current codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Intmax 2 ZKP Circuits
Intmax implements a zk-rollup for private transfers using zk proofs to prove state transitions and balances. Smart contracts on Scroll manage the rollup, while smart contracts on Ethereum handle liquidity on- and offboarding.
"INTMAX is an extremely scalable layer for Ethereum transfers that incorporates ethically sound privacy. It is a stateless zkRollup structure, theoretically achieving scalability similar to Plasma and Lightning Network, as envisioned in 2018. By distributing both data and computation costs across users’ devices, INTMAX inherits security from Ethereum while achieving scalability even greater than centralized financial systems using databases."