three sigma logo
Keyring Network

Code Audit

Keyring Network

Keyring is a Zero-Knowledge compliance solution for maximum liquidity and composability.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Keyring provides a zero-knowledge (ZK) compliance layer that lets DeFi applications tap “maximum liquidity with maximum composability.”

Its latest component, Keyring ZkCredentialUpdater, manages credential proofs and policy checks on-chain.

Why Did They Need an Audit?

The updater contract controls how user credentials are refreshed and validated—a critical path for on-chain KYC/AML compliance.

Any mistake in policy management, role setup, or proof acceptance could either brick the credential system (locking out users) or allow illicit addresses to pass compliance. Three Sigma was engaged for a one-person-week assessment before main-net migration.

Scope of the Engagement

  • Files Audited: KeyringZkCredentialUpdater.sol
  • Timeline: 15 Dec 2023 – 29 Dec 2023
  • Team: 1 auditor · 1 person-week
  • Chain: Ethereum

Audit Date: 2023-12-15

Language: Solidity

Type: Code Audit

Results and Findings

Key Low-Severity Issue

AccessControlDefaultAdminRules recommended for safer role transfers

  • Description: The contract relies on OpenZeppelin’s DEFAULT_ADMIN_ROLE, which is the admin for every other role. A mistaken transfer can hand full control to the wrong address.
  • Recommendation: Adopt AccessControlDefaultAdminRules for 2-step role transfers and built-in time delays.
  • Status: Acknowledged by the team for future upgrade.

Notable Informational & Optimization Issues

  1. Incorrect revert reason in setPolicyParameters()
    • Description: Error says “policies 0 and 1 cannot be configured,” but policy 1 is configurable (FIRST_CONFIGURABLE_POLICY = 1).
    • Recommendation: Fix message to avoid confusion.
    • Status: Addressed in commit eb3cb19.
  2. Gas micro-optimisation in updateCredentials() loop
    • Description: Using i++ with no unchecked costs extra gas.
    • Recommendation: Switch to pre-increment ++i inside an unchecked block.
    • Status: Addressed in commit 5e03215.
  3. Wildcard imports instead of specific contracts
    • Recommendation: Import only the required contract/interface to shrink byte-code size.
    • Status: Planned for next release.

Severity Issues

critical
high

1

informational

6

medium

0

low

2

Audit Period

4 Days

Report

In conclusion

Three Sigma’s focused review of the 221-line Keyring ZkCredentialUpdater found no high-impact issues. The single low-severity governance concern can be eliminated by adopting OpenZeppelin’s newer admin rules, while seven informational items were largely fixed during the audit or queued for the next version. With these tweaks, Keyring’s credential updater now ships with tighter gas costs, clearer error handling, and a path toward safer role management.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today