README.md

Awesome zero knowledge proofs security

 A curated list of awesome things related to learning zero knowledge proofs security

Table of Content

• Table of Content
• 1. Introduction
• 2. Vulnerability Classification
  • Architectureal Design Flaws
  • FrontEnd: Circuits
    • Soundness Error (Under-constrained)
    • Completeness Error (Over-constrained)
    • Zero Knowledge Error
  • Misc: Witness Generation & Arithemtization
  • BackEnd: Proving system
• 3. Security Consideration
  • circom
  • cairo
• 4. Learning Resources
  • Books & Docs
  • Papers
  • Blogs
    • Worth a look
    • Resources
  • Videos
  • Audit Reports
  • Tools
  • zkHACK/CTF/Puzzles
  • Miscellaneous
• Acknowledgements

1. Introduction

Zero Knowledge Proof (ZKP) technology is considered as a very promising infrastructure in blockchain field, even not limited to the Web3 world.

In concept, proving system (or proof system in some context) are indeed advanced cryptographic techniques as you can see in various papers. But when it comes to a ZK application, from a development perspective, it is usually divided into two parts: front-end and back-end.

In general, ZKP is a technique for proving the correct execution of programs, which has completeness, soundness, and zero knowledge property. Specifically, the front-end is these programs that can be proven, namely circuits that implement computation logic, while the back-end is a proving system used to generate proof for the execution of these logic.

As with other programming field, the primary technical risk faced by both is code bugs.

I strongly recommand everyone to learn ZK Security from the perspective of zkapp. The following figure from Aumasson'slides which provide us with a good layered display.

To be more precise, circuits implementation comes with its own set of vulnerability classification, disjoint from the low-level cryptography bugs that may be found in the proving system.

2. Vulnerability Classification

The mental models of circuits (or constraints) are very different from traditional programming, programmers should be very careful about it.

While the programming approach of zkVM programs is more similar to traditional programming (but not exactly the same because the underlying VM is implemented as circuits, so only some circuit friendly operations can be implemented, such as hash functions pedersen, poseidon, and MiMC, so the learning threshold and cost are lower. The underlying of zkVM is essentially circuits.

The emergence of zkVM (including zkEVM) has greatly enriched the application of zk technology, and people can prove more diverse programs, such as smart contracts (starknet based on cairo VM, blockchain based on various EVMs such as Polygon, Scroll, zksync, etc.) and general programs (RISC Zero, SP1, etc.) .

Meanwhile, it also aligns with many traditional programming fields, such as reverse engineering (A CTF puzzle by weikeng chen)。

Therefor, the scope of programs above zkVM is much boarder, including smart contracts (Solidity, Cairo) and other traditional programs, which security will not be discussed here for now.

Architectureal Design Flaws

• Front Running

FrontEnd: Circuits

Soundness Error (Under-constrained)

Missing constraints or under-constrained is the most common bug in zk circuits, which occurs when a system, fails to enforce necessary limitations or conditions on inputsor operations. This could be due to absent validation checks, insufficient boundary enforcement, or improper assumptions about input data. As a result, users or attackers can manipulate or bypass expected behavior, leading to unintended consequences, security issues, or data corruption.

This is a very general type of bug, and we divide it into 6 sub issues:

• General Logic
• Arithmetic Over/Under Flow
• Mismatched Types/Lengths
• Non-determinism
• Assigned but not Constrained
• Compiler Optimization

Completeness Error (Over-constrained)

• not much

Zero Knowledge Error

• Trusted Setup Leak
• Bad Protocol Design/Implementation

Misc: Witness Generation & Arithemtization

Worth further exploring.

BackEnd: Proving system

The backend is the proving system that leans towards the cryptographic part, so this part involves more secure applications of cryptographic primitives. One must note: even secure primitives may introduce vulnerabilities if used incorrectly in the larger protocol or configured in an insecure manner.

To sum up, most vulnerabilities of proving system are Unstandardized Cryptographic Implementation.

• Bad Polynomial Implementation
• Frozen Heart
• Lack of Domain Seperation
• Missing Curve Point check
• Unseure Hash Function

3. Security Consideration

circom

• blockdev's slides
• Best Practices for Large Circom Circuits

cairo

1. No payable functions
2. Name hashed storage slots
3. Upgradeability built-in
4. Separated internal/external functions
5. Cheap execution means readable algorithms
6. Immutable variables by default
7. Safe type conversions
8. Option and Result traits

Reference

• starknet book
• cairo-the-starknet-way-to-writing-safe-code by Nethermind Security

4. Learning Resources

Books & Docs

• Proofs, Arguments, and Zero-Knowledge (PAZK) by Thaler.
• Hash-based SNARGs-Book by Alessandro Chiesa and Eylon Yogev.
• ZKDocs by Trail of Bits
• The RareSkills Book of Zero Knowledge Not fully disclosed :(

Papers

• SoK: What Don’t We Know? Understanding Security Vulnerabilities in SNARKs
• CirC: Compiler infrastructure for proof systems, software verification, and more
• Weak Fiat-Shamir Attacks on Modern Proof Systems
• On the practical CPAD security of “exact” and threshold FHE schemes and libraries
• Attacks Against the INDCPA-D Security of Exact FHE Schemes
• Automated Analysis of Halo2 Circuits

Blogs

Worth a look

• Endeavors into the zero-knowledge Halo2 proving system by Consensys Diligence
• Frozen Heart by Trail of bits.
• Two Vulnerabilities in gnark's Groth16 Proofs by Zellic.

Resources

• 0xPARC Blog
• zkHACK Blog
• NCC Group Research Blog
• Zellic Blog
• zkSecurity Blog
• Rot256 Blog
• David Wong Blog
• LambdaClass Blog
• Nethermind Blog
• Ingonyama Blog
• Open Zeppelin Blog
• samczsum Blog
• Xor0v0 Blog

Videos

• Introduction to ZK Security Research by David Theodore from EF. This classification of bugs in zk-circuits is widely accepted.
• zBlock1 by yAcademy. 「Very worth a look!!」

Audit Reports

• ZK Related Security Reviews of ZK Protocols by nullity. Consists of Security Reports of 50+ ZK Protocols.
• code4rena Report

You can directly visit the solodit website to get some off-the-shelf audit reports.

If you are intereted in security about zkVM programs, here are some audit material about smart contract.

Solidity:

• Solidity Security Blog
• not-so-smart-contract
• List of Security Vunerabilities

Cairo:

• Opus-2024_01-c4
• lindy-labs-aura-2023_11-tob
• Argent-Account-2023_6-consensys

Tools

Tool	Technique	UC	OC	CE
Circomspect	SA	✓	✗	✗
ZKAP	SA	✓	✗	✗
halo2-analyzer	SA	✓	✓	✗
Coda	FV	✓	✓	✓
Ecne	FV	✓	✗	✗
Picus	FV	✓	✗	✗
Aleo	FV	✓	✓	✓
SnarkProbe	DA	✓	✓	✗
CIVER	FV	✓	✗	✗
GNARK/Lean	FV	✓	✓	✓

zkHACK/CTF/Puzzles

• zkHACKs
• Paradigm CTF
• Paradigm CTF Infrastructure
• Open Zeppelin CTF
• Ingonyama CTF
• RareSkill ZK Puzzles
• cairo-damn-vulnerable
• starknet-security-challenges.app
• StarknetCC-CTF

writeups

• 2023 Ingonyama CTF WP by shuklaayush
• 2023 Ingonyama CTF Official WP

Miscellaneous

• "Security of ZKP projects: same but different" by JP Aumasson @ Taurus. Great slides outlining the different types of zk security vulnerabilities along with examples.
• 0xPARC zk-bug-tracker by 0xPARC and PSE.
• BUG Bounty platform: code4rena, Immunefi.
• l2-security-framework by QuantStamp

Acknowledgements

Special thanks go to the following individuals and organizations for their ongoing support and encouragement: Nullity.