Civic Technologies, Inc.

We express our gratitude to the Civic Technologies, Inc. team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Civic is a leading provider of identity and access management tools.

The system users should acknowledge all the risks summed up in the risks section of the report

On-chain Identity Gateway is a platform that implements auth token creation and management. The main purpose of the system is to allow other smart contracts to validate the user’s identity (for example, KYC verification, reCAPTCHA, etc.).

The domain model has the following key entities: “gatekeeper network”, “gatekeeper”, and “gateway token”. A gatekeeper network can add/remove gatekeepers to itself. Gatekeepers can create gateway tokens within their network for arbitrary parties. A gateway token represents a credential that is meant to be used by client systems to authenticate their users. A party may be granted many gateway tokens at the same time, including many tokens from the same network. A gateway token may have an expiration time, which can be increased or decreased arbitrarily by any gatekeeper in the network. A gateway token may be paused/unpaused (only by the issuing gatekeeper), revoked or removed by any gatekeeper in the network. A network may add/remove features to itself. Currently, the only feature is self-expiration, which allows a grantee of a gateway token to make the token expire immediately. The platform supports several blockchains.

The platform implementation designed for the Solana blockchain is in the audit scope.

In-scope files:

• ./solana/program/ (also referred to as the program crate) — the folder contains a Rust crate that defines the operations that gatekeepers can perform on the Solana blockchain, and the client-side code for interacting with the program.

• • ./solana/program/src/entrypoint.rs — the file contains the program entrypoint and performs a redirect to the processor.

  • ./solana/program/src/lib.rs — the file contains module declarations, the program ID declaration, and reading/validation utilities for gateway tokens.

  • ./solana/program/src/processor.rs — the file contains the implementation of fundamental operations over the domain entities.

  • ./solana/program/src/state.rs — the file contains the program state data structures definitions and helper functions to work with the state.

  • ./solana/program/src/borsh.rs — the file contains Borsh helpers to work with data slices.

  • ./solana/program/src/error.rs — the file contains the protocol error declarations.

  • ./solana/program/src/instruction.rs — the file contains the program instruction signatures and the functions constructing calls into the respective program APIs.

  • /solana/program/src/networks.rs — the file contains official gateway network addresses.

Privileged roles

• The owner of the account that contains the program - as allowed in Solana - can modify the account, including the program code, if it was not deployed as immutable.

• Within the program, there are no universal high-privileged roles. Each gateway network is a root of an isolated graph of entities. For each graph, the ultimate-privilege entity is the gateway network, which can spawn many gatekeepers that have second-class privileges. The details of the abilities of the privileged entities are described in the main body of the System Overview.

The total Documentation quality score is 9 out of 10.

• README.md in the program crate as well as doc comments in program::instruction state the need to pass the rent sysvar account to some instructions, but actually the instructions do not expect it.

The total Code quality score is 9 out of 10.

• There are minor cases of unfinalized or confusing code.

• There are hardcoded generated values whose derivation is not validated properly.

See the Findings section for detailed issue descriptions

Code coverage of the project is 91% (branch coverage).

• There is both positive and negative cases coverage.

• All kinds of actors are tested.

• program::processor::remove_feature_from_network is not tested.

Upon auditing, the code was found to contain 0 critical, 1 high, 1 medium, and 12 low severity issues. Out of these, 11 issues have been addressed and resolved, leading to a Security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

The comprehensive audit of the customer's smart contract yields an overall score of 10. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository: