| Threat | Description |
|---|---|
| Double spend | Reusing nullifier to withdraw same funds twice |
| Commit griefing | Spamming invalid commits to bloat state |
| Challenge griefing | Spamming frivolous challenges |
| Account substitution | Swapping recipient/relayer/treasury at finalize |
| Vault drain | Arithmetic underflow/overflow exploits |
| Replay attacks | Cross-protocol or cross-chain confusion |
| Censorship | Blocking legitimate challengers |
- Nullifier is marked spent only at finalize
- Duplicate finalize attempts are rejected
- Nullifier uniqueness enforced at PDA level
- Commit bond required to create PendingCommit
- Challenger bond required to submit challenge
- Economic cost deters spam attacks
- Recipient, relayer, submitter, treasury validated against stored commit state
- Cannot substitute destination accounts at finalize
- Vault balance checked before any payout
vault >= bond + amountverified before finalizevault >= rewardverified before challenge payout
- All fee calculations use checked operations
total_fee <= amountenforced- No underflow/overflow possible on payout paths
- Domain separation in cryptographic operations
- Protocol-specific binding in all commitments
- Challenge path is permissionless
- Anyone with valid proof can challenge
- No trusted party required for verification
The following are intentionally not documented publicly:
- Circuit security review details
- Parameter generation pipeline
- Prover availability guarantees
- Relayer infrastructure hardening specifics