Introduction
Keyring provides a zero-knowledge (ZK) compliance layer that lets DeFi applications tap “maximum liquidity with maximum composability.”
Its latest component, Keyring ZkCredentialUpdater, manages credential proofs and policy checks on-chain.
Why Did They Need an Audit?
The updater contract controls how user credentials are refreshed and validated—a critical path for on-chain KYC/AML compliance.
Any mistake in policy management, role setup, or proof acceptance could either brick the credential system (locking out users) or allow illicit addresses to pass compliance. Three Sigma was engaged for a one-person-week assessment before main-net migration.
Scope of the Engagement
- Files Audited:
KeyringZkCredentialUpdater.sol
- Timeline: 15 Dec 2023 – 29 Dec 2023
- Team: 1 auditor · 1 person-week
- Chain: Ethereum
Audit Date: 2023-12-15
Language: Solidity
Type: Code Audit
Results and Findings
Key Low-Severity Issue
AccessControlDefaultAdminRules
recommended for safer role transfers
- Description: The contract relies on OpenZeppelin’s
DEFAULT_ADMIN_ROLE
, which is the admin for every other role. A mistaken transfer can hand full control to the wrong address. - Recommendation: Adopt
AccessControlDefaultAdminRules
for 2-step role transfers and built-in time delays. - Status: Acknowledged by the team for future upgrade.
Notable Informational & Optimization Issues
- Incorrect revert reason in
setPolicyParameters()
- Description: Error says “policies 0 and 1 cannot be configured,” but policy 1 is configurable (
FIRST_CONFIGURABLE_POLICY = 1
). - Recommendation: Fix message to avoid confusion.
- Status: Addressed in commit
eb3cb19
.
- Gas micro-optimisation in
updateCredentials()
loop - Description: Using
i++
with no unchecked
costs extra gas. - Recommendation: Switch to pre-increment
++i
inside an unchecked
block. - Status: Addressed in commit
5e03215
.
- Wildcard imports instead of specific contracts
- Recommendation: Import only the required contract/interface to shrink byte-code size.
- Status: Planned for next release.
In conclusion
Three Sigma’s focused review of the 221-line Keyring ZkCredentialUpdater found no high-impact issues. The single low-severity governance concern can be eliminated by adopting OpenZeppelin’s newer admin rules, while seven informational items were largely fixed during the audit or queued for the next version. With these tweaks, Keyring’s credential updater now ships with tighter gas costs, clearer error handling, and a path toward safer role management.