A curated list of awesome things related to learning zero knowledge proofs security
- Table of Content
- 1. Introduction
- 2. Vulnerability Classification
- 3. Security Consideration
- 4. Learning Resources
- Acknowledgements
Zero Knowledge Proof (ZKP) technology is considered as a very promising infrastructure in blockchain field, even not limited to the Web3 world.
In concept, proving system (or proof system in some context) are indeed advanced cryptographic techniques as you can see in various papers. But when it comes to a ZK application, from a development perspective, it is usually divided into two parts: front-end and back-end.
In general, ZKP is a technique for proving the correct execution of programs, which has completeness, soundness, and zero knowledge property. Specifically, the front-end is these programs that can be proven, namely circuits that implement computation logic, while the back-end is a proving system used to generate proof for the execution of these logic.
As with other programming field, the primary technical risk faced by both is code bugs.
I strongly recommand everyone to learn ZK Security from the perspective of zkapp. The following figure from Aumasson'slides which provide us with a good layered display.
To be more precise, circuits implementation comes with its own set of vulnerability classification, disjoint from the low-level cryptography bugs that may be found in the proving system.
The mental models of circuits (or constraints) are very different from traditional programming, programmers should be very careful about it.
While the programming approach of zkVM programs is more similar to traditional programming (but not exactly the same because the underlying VM is implemented as circuits, so only some circuit friendly operations can be implemented, such as hash functions pedersen, poseidon, and MiMC, so the learning threshold and cost are lower. The underlying of zkVM is essentially circuits.
The emergence of zkVM (including zkEVM) has greatly enriched the application of zk technology, and people can prove more diverse programs, such as smart contracts (starknet based on cairo VM, blockchain based on various EVMs such as Polygon, Scroll, zksync, etc.) and general programs (RISC Zero, SP1, etc.) .
Meanwhile, it also aligns with many traditional programming fields, such as reverse engineering (A CTF puzzle by weikeng chen)。
Therefor, the scope of programs above zkVM is much boarder, including smart contracts (Solidity, Cairo) and other traditional programs, which security will not be discussed here for now.
Missing constraints or under-constrained is the most common bug in zk circuits, which occurs when a system, fails to enforce necessary limitations or conditions on inputsor operations. This could be due to absent validation checks, insufficient boundary enforcement, or improper assumptions about input data. As a result, users or attackers can manipulate or bypass expected behavior, leading to unintended consequences, security issues, or data corruption.
This is a very general type of bug, and we divide it into 6 sub issues:
- General Logic
- Arithmetic Over/Under Flow
- Mismatched Types/Lengths
- Non-determinism
- Assigned but not Constrained
- Compiler Optimization
- not much
Worth further exploring.
The backend is the proving system that leans towards the cryptographic part, so this part involves more secure applications of cryptographic primitives. One must note: even secure primitives may introduce vulnerabilities if used incorrectly in the larger protocol or configured in an insecure manner.
To sum up, most vulnerabilities of proving system are Unstandardized Cryptographic Implementation.
- Bad Polynomial Implementation
- Frozen Heart
- Lack of Domain Seperation
- Missing Curve Point check
- Unseure Hash Function
- No payable functions
- Name hashed storage slots
- Upgradeability built-in
- Separated internal/external functions
- Cheap execution means readable algorithms
- Immutable variables by default
- Safe type conversions
- Option and Result traits
Reference
- Proofs, Arguments, and Zero-Knowledge (PAZK) by Thaler.
- Hash-based SNARGs-Book by Alessandro Chiesa and Eylon Yogev.
- ZKDocs by Trail of Bits
- The RareSkills Book of Zero Knowledge Not fully disclosed :(.
- Pairings for beginners
- SoK: What Don’t We Know? Understanding Security Vulnerabilities in SNARKs
- CirC: Compiler infrastructure for proof systems, software verification, and more
- Weak Fiat-Shamir Attacks on Modern Proof Systems
- On the practical CPAD security of “exact” and threshold FHE schemes and libraries
- Attacks Against the INDCPA-D Security of Exact FHE Schemes
- Automated Analysis of Halo2 Circuits
- Endeavors into the zero-knowledge Halo2 proving system by Consensys Diligence
- Frozen Heart by Trail of bits.
- Two Vulnerabilities in gnark's Groth16 Proofs by Zellic.
- 0xPARC Blog
- zkHACK Blog
- NCC Group Research Blog
- Zellic Blog
- zkSecurity Blog
- Rot256 Blog
- David Wong Blog
- LambdaClass Blog
- Nethermind Blog
- Ingonyama Blog
- Open Zeppelin Blog
- samczsum Blog
- Xor0v0 Blog
- Zero Knowledge Youtube by Zero Knowledge.
- Zero Knowledge Podcast by Zero Knowledge.
- ZK Whiteboard Sessions by ZK Hack.
- ZK Submit by Zero Knowledge.
- ZK Study Club by Zero Knowledge.
- ZKP Mooc by Dan Boneh, Shafi Goldwasser, Dawn Song, Justin Thaler, Yupeng Zhang.
- Thaler Book Study Club by Thaler.
- A16Z Summer Research Seminars by A16Z Crypto.
- Introduction to ZK Security Research by David Theodore from EF. This classification of bugs in zk-circuits is widely accepted.
- zBlock1 by yAcademy.
- Moon Math Club by Ingonyama
- The PLONK zero knoledge proof system by David Wong.
- Foundations of Probabilistic Proofs by Alessandro Chiesa.
- Probabilistically Checkable Proofs and Interactive Proofs
- Zero-knowledge proof composition and incursion by David Wong.
- An introduction to the Arithmetic of Elliptic Curve by Alvaro Lozano-Robledo.
- ZK Related Security Reviews of ZK Protocols by nullity. Consists of Security Reports of 50+ ZK Protocols.
- code4rena Report
You can directly visit the solodit website to get some off-the-shelf audit reports.
If you are intereted in security about zkVM programs, here are some audit material about smart contract.
Solidity:
Cairo:
Tool | Technique | UC | OC | CE |
---|---|---|---|---|
Circomspect | SA | ✓ | ✗ | ✗ |
ZKAP | SA | ✓ | ✗ | ✗ |
halo2-analyzer | SA | ✓ | ✓ | ✗ |
Coda | FV | ✓ | ✓ | ✓ |
Ecne | FV | ✓ | ✗ | ✗ |
Picus | FV | ✓ | ✗ | ✗ |
Aleo | FV | ✓ | ✓ | ✓ |
SnarkProbe | DA | ✓ | ✓ | ✗ |
CIVER | FV | ✓ | ✗ | ✗ |
GNARK/Lean | FV | ✓ | ✓ | ✓ |
- zkHACKs
- Paradigm CTF
- Paradigm CTF Infrastructure
- Open Zeppelin CTF
- Ingonyama CTF
- RareSkill ZK Puzzles
- cairo-damn-vulnerable
- starknet-security-challenges.app
- StarknetCC-CTF
writeups
Algebraic Error Correcting Codes
- "Security of ZKP projects: same but different" by JP Aumasson @ Taurus. Great slides outlining the different types of zk security vulnerabilities along with examples.
- 0xPARC zk-bug-tracker by 0xPARC and PSE.
- BUG Bounty platform: code4rena, Immunefi.
- l2-security-framework by QuantStamp
Special thanks go to the following individuals and organizations for their ongoing support and encouragement: Nullity.