A curated list of awesome things related to learning zero knowledge proofs security
- Awesome zero knowledge proofs security
Zero Knowledge Proof (ZKP) technology is considered as a very promising infrastructure in blockchain field, even not limited to the Web3 world.
In concept, proving system (or proof system in some context) are indeed advanced cryptographic techniques as you can see in various papers. But when it comes to a ZK application, from a development perspective, it is usually divided into two parts: front-end and back-end.
In general, ZKP is a technique for proving the correct execution of programs, which has completeness, soundness, and zero knowledge property. Specifically, the front-end is these programs that can be proven, namely circuits that implement computation logic, while the back-end is a proving system used to generate proof for the execution of these logic.
As with other programming field, the primary technical risk faced by both is code bugs.
I strongly recommand everyone to learn ZK Security from the perspective of zkapp. The following figure from Aumasson'slides which provide us with a good layered display.
To be more precise, circuits implementation comes with its own set of vulnerability classification, disjoint from the low-level cryptography bugs that may be found in the proving system.
The mental models of circuits (or constraints) are very different from traditional programming, programmers should be very careful about it.
While the programming approach of zkVM programs is more similar to traditional programming (but not exactly the same because the underlying VM is implemented as circuits, so only some circuit friendly operations can be implemented, such as hash functions pedersen, poseidon, and MiMC, so the learning threshold and cost are lower. The underlying of zkVM is essentially circuits.
The emergence of zkVM (including zkEVM) has greatly enriched the application of zk technology, and people can prove more diverse programs, such as smart contracts (starknet based on cairo VM, blockchain based on various EVMs such as Polygon, Scroll, zksync, etc.) and general programs (RISC Zero, SP1, etc.) .
Meanwhile, it also aligns with many traditional programming fields, such as reverse engineering (A CTF puzzle by weikeng chen)。
Therefor, the scope of programs above zkVM is much boarder, including smart contracts (Solidity, Cairo) and other traditional programs, which security will not be discussed here for now.
- General Logic
- Arithmetic Over/Under Flow
- Mismatched Types/Lengths
- Non-determinism
- Assigned but not Constrained
- Compiler Optimization
- not much
Worth further exploring.
The backend is the proving system that leans towards the cryptographic part, so this part involves more secure applications of cryptographic primitives. One must note: even secure primitives may introduce vulnerabilities if used incorrectly in the larger protocol or configured in an insecure manner.
To sum up, most vulnerabilities of proving system are Unstandardized Cryptographic Implementation.
- Frozen Heart
- Lack of Domain Seperation
- Bad Polynomial Implementation
- Missing Curve Point check
- Unseure Hash Function
- No payable functions
- Name hashed storage slots
- Upgradeability built-in
- Separated internal/external functions
- Cheap execution means readable algorithms
- Immutable variables by default
- Safe type conversions
- Option and Result traits
Reference
- Proofs, Arguments, and Zero-Knowledge (PAZK) by Thaler.
- Hash-based SNARGs-Book by Alessandro Chiesa and Eylon Yogev.
- ZKDocs by Trail of Bits
- The RareSkills Book of Zero Knowledge Not fully disclosed :(
- SoK: What Don’t We Know? Understanding Security Vulnerabilities in SNARKs
- CirC: Compiler infrastructure for proof systems, software verification, and more
- Weak Fiat-Shamir Attacks on Modern Proof Systems
- On the practical CPAD security of “exact” and threshold FHE schemes and libraries
- Attacks Against the INDCPA-D Security of Exact FHE Schemes
- Consensys: Endeavors into the zero-knowledge Halo2 proving system
- Automated Analysis of Halo2 Circuits
- 0xPARC Blog
- zkHACK Blog
- NCC Group Research Blog
- Zellic Blog
- zkSecurity Blog
- David Wong Blog
- LambdaClass Blog
- Nethermind Blog
- Ingonyama Blog
- Open Zeppelin Blog
- samczsun' Blog
- Introduction to ZK Security Research by David Theodore from EF. This classification of bugs in zk-circuits is widely accepted.
- zBlock1 by yAcademy. 「Very worth a look!!」
- ZK Related Security Reviews of ZK Protocols by nullity. Consists of Security Reports of 50+ ZK Protocols.
- code4rena Report
You can directly visit the solodit website to get some off-the-shelf audit reports.
If you are intereted in security about zkVM programs, here are some audit material about smart contract.
Solidity:
Cairo:
| Tool | Technique | UC | OC | CE |
|---|---|---|---|---|
| Circomspect | SA | ✓ | ✗ | ✗ |
| ZKAP | SA | ✓ | ✗ | ✗ |
| halo2-analyzer | SA | ✓ | ✓ | ✗ |
| Coda | FV | ✓ | ✓ | ✓ |
| Ecne | FV | ✓ | ✗ | ✗ |
| Picus | FV | ✓ | ✗ | ✗ |
| Aleo | FV | ✓ | ✓ | ✓ |
| SnarkProbe | DA | ✓ | ✓ | ✗ |
| CIVER | FV | ✓ | ✗ | ✗ |
| GNARK/Lean | FV | ✓ | ✓ | ✓ |
- zkHACKs
- Paradigm CTF
- Paradigm CTF Infrastructure
- Open Zeppelin CTF
- Ingonyama CTF
- RareSkill ZK Puzzles
- cairo-damn-vulnerable
- starknet-security-challenges.app
- StarknetCC-CTF
writeups
- "Security of ZKP projects: same but different" by JP Aumasson @ Taurus. Great slides outlining the different types of zk security vulnerabilities along with examples.
- 0xPARC zk-bug-tracker by 0xPARC and PSE.
- BUG Bounty platform: code4rena, Immunefi.
- l2-security-framework by QuantStamp
Special thanks go to the following individuals and organizations for their ongoing support and encouragement: Nullity.