Skip to content

doc: security best practices and testing docs#726

Draft
gyrationtechs wants to merge 2 commits intomainfrom
doc/security-best-practice
Draft

doc: security best practices and testing docs#726
gyrationtechs wants to merge 2 commits intomainfrom
doc/security-best-practice

Conversation

@gyrationtechs
Copy link
Copy Markdown
Contributor

New docs:

  • Smart contract security
  • Testing and debugging

Hide the Security section in the Concepts category to avoid creating duplicate docs

@gyrationtechs gyrationtechs requested review from a team and DianaHackmamba March 20, 2026 16:03
@gyrationtechs gyrationtechs requested review from a team as code owners March 20, 2026 16:03
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 20, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
midnight-wiki Ready Ready Preview, Comment Apr 3, 2026 5:56pm

Request Review

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 20, 2026

Summary

Status Count
🔍 Total 10
✅ Successful 2
⏳ Timeouts 0
🔀 Redirected 0
👻 Excluded 0
❓ Unknown 0
🚫 Errors 8
⛔ Unsupported 0

Errors per input

Errors in docs/compact/smart-contract-security.mdx

  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/compact/reference/explicit-disclosure | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/compact/reference/writing#the-full-contract | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/compact/testing | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/nodes/node-endpoints | Cannot find file

Errors in docs/compact/testing.mdx

  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/compact/smart-contract-security | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/examples/dapps/bboard | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/examples/dapps/counter | Cannot find file
  • [ERROR] file:///home/runner/work/midnight-docs/midnight-docs/docs/guides/compact-javascript-runtime | Cannot find file
    Full Github Actions output

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 20, 2026

🚀 Preview Deployment

Deployment Ready

🔗 Preview URL: https://pr-726-midnight-docs.vercel.app

📝 Latest commit: 0882f6e
Updated: Apr 3, 2026, 5:55 PM UTC


This preview updates automatically when you push new commits to this PR.

export circuit vote(choice: Uint<8>): [] {
const sk = secretKey();
const commitment = persistentCommit(choice, sk);
votes.insert(disclose(commitment)); // Commitment disclosed, not choice
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with the demonstration here, but I think persistentCommit is the wrong choice as it does not require a disclose wrapper. persistentHash is better for this demonstration.

Unlike transientHash and persistentHash, this function is considered sufficient to protect its input from disclosure, under the assumption that the rand argument is sufficiently random. Thus, even if its input contains a value or values returned from one or more witnesses, the program need not acknowledge disclosure (via a disclose wrapper) if the result can be stored in the public ledger, returned from an exported circuit, or passed to another contract via a cross-contract call.

source

Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx Outdated

Following these best practices helps you write secure, privacy-preserving contracts that protect user data while maintaining functionality.

### 1. Minimize disclosure
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't number these. The order of best practices generally isn't important.


### 5. Handle errors securely

Error messages should not leak sensitive information:
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these best practices could use more details in the paragraph text if possible.

Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/smart-contract-security.mdx Outdated
Comment thread docs/compact/testing.mdx

Compact contracts execute across multiple contexts (on-chain ledger, zero-knowledge circuits, and local witnesses), requiring different testing strategies for each layer. Effective testing ensures your contract behaves correctly, maintains privacy guarantees, and handles edge cases appropriately.

### Test layers
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not have just one subheading.

Comment thread docs/compact/testing.mdx

This guide covers unit testing, integration testing, and debugging strategies for privacy-preserving contracts on Midnight.

## Overview
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this here? "Overview" adds no value. Either make the heading more specific or remove it.

Comment thread docs/compact/testing.mdx
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When possible, the filename should match the title. test-and-debug.mdx

Makes search algorithms happier.

Comment thread docs/compact/testing.mdx

### Test layers

* **Circuit logic testing** - Validate that individual circuits produce correct outputs and state transitions
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use hyphens for bullets. Makes it easier to read when the first word is bolded.

Comment thread docs/compact/testing.mdx

* **Circuit logic testing** - Validate that individual circuits produce correct outputs and state transitions
* **Privacy verification** - Confirm that private data does not leak through public outputs
* **Authorization testing** - Ensure access control mechanisms prevent unauthorized operations
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add periods to this list.

Comment thread docs/compact/testing.mdx

Validate all inputs at circuit boundaries to prevent invalid state transitions and security vulnerabilities. Proper input validation ensures your contract behaves correctly and rejects malicious or malformed inputs.

### Comprehensive validation example
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, one h3 by itself. Avoid this pattern.

@gyrationtechs gyrationtechs marked this pull request as draft April 2, 2026 15:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants