Secure Code Review and Privacy-Centric ZK Credential Audit For Mina Protocol

Overview

Mina is the leading layer-1 blockchain focused on zero-knowledge (ZK) privacy. With its lightweight 22kb “proof of everything,” Mina enables users to verify data from web services, blockchains, or real-world credentials without revealing sensitive information. It supports a new generation of dApps and verifiable use cases spanning identity, voting, DeFi, real-world assets, and gaming.

To secure its novel ZK-powered credential system, Mina engaged Hacken for a full-scale dApp audit of the Mina Attestations, which includes a credentials library and the attestation presentation interface. These tools allow users to prove identity-linked facts (like age or citizenship) without revealing the underlying data — a significant innovation in privacy-preserving computation.

---

Audit Scope and Approach

In March–April 2025, Hacken conducted a comprehensive review of the Mina Credentials system, including:

• Recursive and simple credential types
  
• Selective disclosure mechanisms via zero-knowledge proofs
  
• Credential presentation APIs
  
• Wallet and extension messaging
  
• Serialization logic and dynamic data handling
  

Our auditors reviewed over 10,000 lines of TypeScript, tested dynamic cryptographic circuits written in o1js, and analyzed complex serialization pipelines and messaging systems. All testing was based on Hacken’s dApp Security Audit Methodology, which combines manual code review with static analysis tools.

---

Key Findings & Resolutions

The final audit identified 11 issues:

• 1 Medium
  
• 6 Low
  
• 4 Informational

Notable Fixes

• Predictable Private Channel ID: The messaging system between browser components used insecure randomness (Math.random()), making private channels guessable. This was resolved using crypto.getRandomValues() to ensure secure inter-process communication.
  
• Missing JSON Schema Validation: Several deserialization functions processed unvalidated input, creating risk of malformed or malicious JSON injection. This was fixed with comprehensive schema enforcement using the zod library.
  
• Insecure Cross-Domain Messaging: Origin validation was missing from browser extension message handlers, exposing the app to postMessage abuse. Trusted origins were added to all message flows to secure data exchange.
  
• Dynamic Hash Collisions: Edge cases in hashing dynamic structures (e.g., true == 1) were documented to prevent potential credential forgery or verification bypass.
  

All findings were remediated or documented by the Mina team. Codebase cleanup, schema hardening, and secure channel isolation significantly strengthened the project’s security posture.

➡️ See Full Audit Report

---

Secure Design Highlights

Mina’s credential system leverages:

• Recursive SNARKs for nested, composable credential structures
  
• Dynamic Poseidon hashing for ZK-friendly serialization
  
• Selective disclosure protocols to preserve user privacy
  
• High test coverage (93%+ statements) across credential logic, serialization, and circuit interaction
  

The audit also assessed the project’s architectural resilience, documentation clarity, and test coverage. While some advanced features like the nullifier system and metadata validation were still in development, core cryptographic logic was well-implemented and aligned with Mina’s security goals.

Follow @hackenclub on 𝕏 (Twitter)

---

Why It Matters

As zero-knowledge adoption accelerates, securing off-chain ZK credential systems becomes mission-critical. The Mina Protocol team demonstrated a strong commitment to privacy-by-design, actively responding to feedback and addressing vulnerabilities before production deployment.

This audit ensured that Mina’s pioneering identity infrastructure can support real-world use cases without compromising on privacy, trust, or decentralization.

---

Interested in Verifiable Privacy?

Hacken provides in-depth audits for privacy-preserving protocols, recursive ZK circuits, and novel dApps interacting with blockchain networks.

👉 Get in touch | Explore more cases