doc: security best practices and testing docs#726
doc: security best practices and testing docs#726gyrationtechs wants to merge 2 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Summary
Errors per inputErrors in docs/compact/smart-contract-security.mdx
Errors in docs/compact/testing.mdx
|
🚀 Preview Deployment✅ Deployment Ready 🔗 Preview URL: https://pr-726-midnight-docs.vercel.app 📝 Latest commit: This preview updates automatically when you push new commits to this PR. |
| export circuit vote(choice: Uint<8>): [] { | ||
| const sk = secretKey(); | ||
| const commitment = persistentCommit(choice, sk); | ||
| votes.insert(disclose(commitment)); // Commitment disclosed, not choice |
There was a problem hiding this comment.
I agree with the demonstration here, but I think persistentCommit is the wrong choice as it does not require a disclose wrapper. persistentHash is better for this demonstration.
Unlike transientHash and persistentHash, this function is considered sufficient to protect its input from disclosure, under the assumption that the rand argument is sufficiently random. Thus, even if its input contains a value or values returned from one or more witnesses, the program need not acknowledge disclosure (via a disclose wrapper) if the result can be stored in the public ledger, returned from an exported circuit, or passed to another contract via a cross-contract call.
|
|
||
| Following these best practices helps you write secure, privacy-preserving contracts that protect user data while maintaining functionality. | ||
|
|
||
| ### 1. Minimize disclosure |
There was a problem hiding this comment.
Don't number these. The order of best practices generally isn't important.
|
|
||
| ### 5. Handle errors securely | ||
|
|
||
| Error messages should not leak sensitive information: |
There was a problem hiding this comment.
All these best practices could use more details in the paragraph text if possible.
|
|
||
| Compact contracts execute across multiple contexts (on-chain ledger, zero-knowledge circuits, and local witnesses), requiring different testing strategies for each layer. Effective testing ensures your contract behaves correctly, maintains privacy guarantees, and handles edge cases appropriately. | ||
|
|
||
| ### Test layers |
There was a problem hiding this comment.
Do not have just one subheading.
|
|
||
| This guide covers unit testing, integration testing, and debugging strategies for privacy-preserving contracts on Midnight. | ||
|
|
||
| ## Overview |
There was a problem hiding this comment.
Why is this here? "Overview" adds no value. Either make the heading more specific or remove it.
There was a problem hiding this comment.
When possible, the filename should match the title. test-and-debug.mdx
Makes search algorithms happier.
|
|
||
| ### Test layers | ||
|
|
||
| * **Circuit logic testing** - Validate that individual circuits produce correct outputs and state transitions |
There was a problem hiding this comment.
Please use hyphens for bullets. Makes it easier to read when the first word is bolded.
|
|
||
| * **Circuit logic testing** - Validate that individual circuits produce correct outputs and state transitions | ||
| * **Privacy verification** - Confirm that private data does not leak through public outputs | ||
| * **Authorization testing** - Ensure access control mechanisms prevent unauthorized operations |
There was a problem hiding this comment.
Add periods to this list.
|
|
||
| Validate all inputs at circuit boundaries to prevent invalid state transitions and security vulnerabilities. Proper input validation ensures your contract behaves correctly and rejects malicious or malformed inputs. | ||
|
|
||
| ### Comprehensive validation example |
There was a problem hiding this comment.
Again, one h3 by itself. Avoid this pattern.
3 participants
New docs:
Hide the Security section in the Concepts category to avoid creating duplicate docs