Umbra Audit Updates

A security-first posture is one our core values at ScopeLift. The responsibility that comes with writing software that handles other people’s money demands it. That’s why we’re excited to announce two security audit updates related to Umbra today.

Umbra is a protocol for stealth addresses on Ethereum developed by ScopeLift. If you’re not yet familiar with the project, check out some of our_past posts_ to learn more.

Contract Audit Complete

In our last update, we reported that Umbra completed a one day security review with the team at Consensys Diligence. This quick “spot check” was a precursor to a full audit of our contracts.

We’re pleased to announce that the Consensys Diligence team has completed its audit of Umbra’s core contracts. The results of that audit are now available **.

No flaws of significance were found. The auditor identified one minor issue, which would only impact users in the case of a contentious hardfork of the Ethereum network. He also made several best practice recommendations. We’ve since fixed the aforementioned hardfork-related issue, and incorporated the other suggestions as well.

We want to offer our sincere thanks to the Consensys Diligence team for their work. The whole process was professional and enjoyable. They didn’t ask us to say this, but we can do so without reservation: if you need auditing services for your smart contracts, you can’t go wrong choosing the Diligence team.

Off-Chain Audit Scheduled

Much of what enables the privacy preserving properties of Umbra actually takes place off-chain. This is great, because it keeps Umbra’s contracts simple and gas costs low. It also means there’s a lot to consider security-wise happening off-chain.

We’re also pleased to announce today that ScopeLift has contracted with Least Authority to audit our off-chain encryption scheme and our first party JavaScript library.

As a privacy focused firm, Least Authority is a great fit for auditing Umbra’s off-chain components. They’ve proven themselves to be a top tier firm in the ecosystem, with past audits including ZCash, the Ethereum 2.0 specifications, and the MetaMask mobile app. We’re excited to have them onboard.

Mainnet Roadmap

The Least Authority audit is scheduled for May 2021. Because it will cover off-chain components— ones that can easily be updated even in the case of an issue being uncovered— this audit is not a blocker for mainnet release.

With the audit of our contracts completed, we consider our on-chain code effectively frozen. We’ve also completed the core components of our Phase 2 goals, including simplified configuration for ENS users, and single transaction subdomain setup for users who choose not to use an existing ENS name.

With these large features now implemented, the majority of our remaining work entails cleanup and prep. You can follow our progress on these tasks on GitHub.

We fully expect to see Umbra deployed on the Ethereum mainnet and available for public use by the end of this month— April, 2021.

One open question remaining for launch is which tokens will be supported by our first party relayer for “gas-less” withdrawal via relayed meta-transactions. While any non-rebasing token can be safely sent via Umbra, our relayer service will support only a subset of the ERC20 tokens available. Because users must pay the relayer for gas using a portion of the token they’re withdrawing, treasury management of supported tokens becomes paramount for anyone running a relayer service.

We’re hard at work building out our relayer MVP, and intend to have a support for popular stablecoins at launch. We also have a contingency plan that would allow us to go live with ETH only, and enable meta-transaction token withdrawals shortly afterwards. Regardless of which direction we go, adding broader token support for meta-transaction token withdrawals will be one of our top priorities after going live.

Thank You!

We’ll conclude by once again thanking everyone who has supported Umbra to date. We truly can’t say this enough.

Umbra has been built solely with grant funding. Your support has made it possible.

In particular, we want to call out the extreme generosity from the community in the last Gitcoin Grant’s round. The funding we received there gave us the budgetary breathing room we needed to book the audit of our off-chain components.

We are also grateful for your continued support, even after we reach mainnet later this month. While that will be a huge milestone, it will be far from the project’s end. We have so many plans for Umbra moving forward which we are eager to build and share with you. We’re also confident that Umbra’s users will give us incredible feedback and suggestions, providing even more ways to expand the protocol’s utility in the future.