Skip to content

docs(tbtc/signer): pin frost dependency audit status; attestation cadence#4042

Merged
mswilkison merged 1 commit into
extraction/frost-signer-mirror-2026-05-26from
docs/signer-readiness-audit-2026-06-12
Jun 12, 2026
Merged

docs(tbtc/signer): pin frost dependency audit status; attestation cadence#4042
mswilkison merged 1 commit into
extraction/frost-signer-mirror-2026-05-26from
docs/signer-readiness-audit-2026-06-12

Conversation

@mswilkison

Copy link
Copy Markdown
Contributor

Post-merge follow-up #5 from the June 2026 review stack — the remaining half of #4033's item: cite the exact external audit report and version range covering the pinned FROST stack in the readiness/rollout docs. Also records the attestation-rotation operational requirement that #4037's review surfaced.

Audit status (researched against upstream sources, 2026-06-12)

The new "Cryptographic Dependency Audit Status" section in roast-phase-5-security-rollout-gates.md records, with citations:

  • NCC Group, "Zcash FROST Security Assessment" (report 2023-10-20): audited v0.6.0 (commit 5fa17ed) of frost-core + five ciphersuites — trusted-dealer and DKG key generation plus signing; all findings addressed and re-reviewed.
  • The upstream README's explicit exclusion, quoted verbatim: "This does not include frost-secp256k1-tr and rerandomized FROST."
  • Least Authority's Q1 2025 FROST Demo audit covered frost-client/frostd tooling only — not the library crates this signer consumes.
  • No 2.x/3.x release notes mention further audit coverage.

The honest bottom line, now on the record: the exact ciphersuite this signer uses for production signatures (frost-secp256k1-tr =3.0.0, released 2025-04-23) and the v0.6.0 → 3.0.0 evolution of frost-core have no external audit coverage. Gate 1 sign-off must therefore either commission/await an audit covering that range (the checklist item-8 "audit as ECDSA-retirement merge gate" decision) or record a written, canary-scoped risk acceptance. The section gives that team decision its factual basis instead of letting "FROST was audited" stand unqualified.

Attestation rotation cadence (runbook prerequisite 6)

From #4037's design: init-time config is immutable for the process lifetime and attestation TTL caps at 7 days, so production signers must restart with fresh attestation material within every window — rollout stage scheduling has to absorb that cadence. Live re-attestation without restart is deliberately unsupported (it would need a dedicated narrow FFI; general config mutation reopens the split-brain risk the immutable design closed).

Doc-only change; no code. Sources verified via the upstream README, NCC's published report PDF, zfnd.org announcements, and the ZcashFoundation/frost releases page.

🤖 Generated with Claude Code

…ence

Post-merge follow-up #5 from the June 2026 review stack (the remaining
half of #4033's item): cite the exact external audit coverage of the
pinned FROST stack in the readiness/rollout docs, and record the
attestation-rotation operational requirement surfaced by #4037.

- rollout gates doc gains a "Cryptographic Dependency Audit Status"
  section: NCC Group's Zcash FROST Security Assessment (2023-10-20)
  covered v0.6.0 (commit 5fa17ed) of frost-core and five ciphersuites;
  upstream states explicitly that frost-secp256k1-tr and rerandomized
  FROST are NOT included; Least Authority's Q1 2025 audit covered demo
  tooling only. Bottom line recorded honestly: the pinned
  frost-secp256k1-tr =3.0.0 and the v0.6.0->3.0.0 frost-core evolution
  have no external audit coverage, so Gate 1 must either commission an
  audit or record written risk acceptance scoped to canary - a team
  decision this section now gives a factual basis.
- rollout runbook prerequisites gain the attestation rotation cadence:
  init-time config is immutable per process and attestation TTL caps
  at 7 days, so signers must restart with fresh attestation within
  every window; live re-attestation is deliberately unsupported.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: eeec337a-4386-4620-a09e-0fe8633431a9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/signer-readiness-audit-2026-06-12

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mswilkison mswilkison merged commit 484c377 into extraction/frost-signer-mirror-2026-05-26 Jun 12, 2026
19 checks passed
@mswilkison mswilkison deleted the docs/signer-readiness-audit-2026-06-12 branch June 12, 2026 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant