R1CS Implementation Review for Penumbra Labs

This document is an implementation review report prepared by NCC Group Security Services for Penumbra Labs, focusing on the Rank-1 Constraint System (R1CS) code and associated zero-knowledge proofs within the Penumbra system. The review was conducted over a two-week period in July 2023, with a follow-up retest in August 2023. The primary scope included examining R1CS-related code and Merkle trees, as well as fixed-point arithmetic and proofs for various functionalities. The review identified eight findings, all of which were subsequently fixed. Key findings included issues with invalid comparisons in fixed-point values, missing carry bits in arithmetic circuits, and incorrect support of zero in point decompression. The report also outlines strategic recommendations for maintaining high-quality documentation and ensuring regular audits of dependencies. Overall, the reviewed code was deemed to be of high quality, with thorough documentation, although some areas were noted for improvement.