Awesome zero knowledge proofs security

 A curated list of awesome things related to learning zero knowledge proofs security

Table of Content

• Table of Content
• 1. Introduction
• 2. Vulnerability Classification
• Architectural Design Flaws
• FrontEnd: Circuits
  • Soundness Error (Under-constrained)
  • Completeness Error (Over-constrained)
  • Zero Knowledge Error
• Misc: Witness Generation \& Arithmetization
• BackEnd: Proving system
• 3. Security Consideration
• circom
• cairo
• 4. Learning Resources
• Books \& Docs
• Papers
• Blogs
  • Highlights
  • Resources
• Videos \& Podcast
• Audit Reports
• Tools
• zkHACK/CTF/Puzzles
• Lectures
• Miscellaneous
• Acknowledgements

1. Introduction

Zero Knowledge Proof (ZKP) technology is considered a promising infrastructure for blockchain and many broader privacy-preserving systems.

Conceptually, proving systems are advanced cryptographic protocols. In practical ZK applications, however, security review usually separates the system into a front-end and a back-end.

In general, ZKP is a technique for proving correct program execution while preserving completeness, soundness, and zero knowledge. The front-end is the provable program, usually circuits or circuit-like constraints that encode computation logic. The back-end is the proving system that generates and verifies proofs for that logic.

As in other engineering domains, many practical ZK failures come from implementation bugs and incorrect integration assumptions.

This repository uses a zk application perspective. The following figure from Aumasson's slides provides a useful layered model.

Circuit implementations have their own vulnerability classes, which are distinct from low-level cryptographic bugs in proving systems.

2. Vulnerability Classification

The mental model of circuits is different from traditional programming. A value appearing in witness generation code is not necessarily constrained by the proof.

The programming model of zkVM applications is closer to traditional programming, but the underlying VM is still implemented as constraints. Only circuit-friendly operations, such as Pedersen, Poseidon, and MiMC, are cheap to prove. The underlying execution model of zkVMs is still circuit-based.

The emergence of zkVMs, including zkEVMs, has expanded ZK applications to smart contracts, rollups, and general programs, such as Starknet, Polygon zkEVM, Scroll, zkSync, RISC Zero, and SP1.

It also overlaps with traditional security fields such as reverse engineering, as shown by this CTF puzzle by weikeng chen.

Therefore, programs above zkVMs have a broader security scope, including smart contracts and traditional application logic. This repository focuses mainly on ZK-specific security issues.

Architectural Design Flaws

• Front Running

FrontEnd: Circuits

Soundness Error (Under-constrained)

Missing constraints are the most common class of circuit bug. They occur when a circuit fails to enforce necessary conditions on inputs, witness values, intermediate computations, or protocol state. As a result, a prover may satisfy the constraints while proving a statement that is false under the intended specification.

This repository groups soundness errors into the following subcategories:

• General Logic
• Arithmetic Over/Under Flow
• Mismatched Types/Lengths
• Non-determinism
• Assigned but not Constrained
• Cryptographic Primitive Misuse
• Compiler Optimization
• Trusted Setup Error

Completeness Error (Over-constrained)

• Over-constrained Circuits

Zero Knowledge Error

• Bad Protocol Design/Implementation

Misc: Witness Generation & Arithmetization

Worth further exploring.

BackEnd: Proving system

The backend is the proving system and is closer to the cryptographic layer. One must note: even secure primitives may introduce vulnerabilities if used incorrectly in the larger protocol or configured in an insecure manner.

To sum up, many proving-system vulnerabilities come from unstandardized cryptographic implementation.

• Bad Polynomial Implementation
• Frozen Heart
• Lack of Domain Separation
• Missing Curve Point check
• Insecure Hash Function

3. Security Consideration

circom

• blockdev's slides
• Best Practices for Large Circom Circuits

For practical review, use check_list.md together with the Circuit Bugs taxonomy. Circom-specific review should focus on constraint completeness, public input binding, witness assignment, compiler behavior, and cryptographic primitive integration.

cairo

1. No payable functions
2. Name hashed storage slots
3. Upgradeability built-in
4. Separated internal/external functions
5. Cheap execution means readable algorithms
6. Immutable variables by default
7. Safe type conversions
8. Option and Result traits

Reference - starknet book - cairo-the-starknet-way-to-writing-safe-code by Nethermind Security

4. Learning Resources

Books & Docs

• Proofs, Arguments, and Zero-Knowledge (PAZK) by Thaler.
• Hash-based SNARGs-Book by Alessandro Chiesa and Eylon Yogev.
• ZKDocs by Trail of Bits
• The RareSkills Book of Zero Knowledge Not fully disclosed :(.
• Pairings for beginners by Craig Costello.
• ZKPunk: A content platform centered around Zero-Knowledge Proof (ZKP) technology, dedicated to promoting its adoption and development

Papers

• SoK: What Don’t We Know? Understanding Security Vulnerabilities in SNARKs
• CirC: Compiler infrastructure for proof systems, software verification, and more
• Weak Fiat-Shamir Attacks on Modern Proof Systems
• On the practical CPAD security of “exact” and threshold FHE schemes and libraries
• Automated Analysis of Halo2 Circuits

Blogs

Highlights

• Endeavors into the zero-knowledge Halo2 proving system by Consensys Diligence
• Frozen Heart by Trail of bits.
• Two Vulnerabilities in gnark's Groth16 Proofs by Zellic.

Resources

• Trial of Bit Cryptography Blog
• 0xPARC Blog
• zkHACK Blog
• NCC Group Research Blog
• Zellic Blog
• zkSecurity Blog
• Rot256 Blog
• David Wong Blog
• LambdaClass Blog
• Nethermind Blog
• Ingonyama Blog
• Open Zeppelin Blog
• Vitalik Blog
• samczsum Blog
• Tim Blog

Videos & Podcast

• Zero Knowledge Youtube by Zero Knowledge.
• Zero Knowledge Podcast by Zero Knowledge.
• ZK Whiteboard Sessions by ZK Hack.
• ZK Submit by Zero Knowledge.
• ZK Study Club by Zero Knowledge.
• ZKP Mooc by Dan Boneh, Shafi Goldwasser, Dawn Song, Justin Thaler, Yupeng Zhang.
• Thaler Book Study Club by Thaler.
• A16Z Summer Research Seminars by A16Z Crypto.
• Introduction to ZK Security Research by David Theodore from EF. This classification of bugs in zk-circuits is widely accepted.
• zBlock1 by yAcademy.
• Moon Math Club by Ingonyama
• The PLONK zero knoledge proof system by David Wong.
• Foundations of Probabilistic Proofs by Alessandro Chiesa.
• Probabilistically Checkable Proofs and Interactive Proofs
• Zero-knowledge proof composition and incursion by David Wong.
• An introduction to the Arithmetic of Elliptic Curve by Alvaro Lozano-Robledo.

Audit Reports

• ZK Related Security Reviews of ZK Protocols by nullity. Consists of Security Reports of 50+ ZK Protocols.
• code4rena Report

You can directly visit the solodit website to get some off-the-shelf audit reports.

If you are intereted in security about zkVM programs, here are some audit material about smart contract.

Solidity: - Solidity Security Blog - not-so-smart-contract - List of Security Vunerabilities

Cairo: - Opus-2024_01-c4 - lindy-labs-aura-2023_11-tob - Argent-Account-2023_6-consensys

Tools

Tool	Technique	UC	OC	CE
Circomspect	SA	✓	✗	✗
ZKAP	SA	✓	✗	✗
halo2-analyzer	SA	✓	✓	✗
Coda	FV	✓	✓	✓
Ecne	FV	✓	✗	✗
Picus	FV	✓	✗	✗
Aleo	FV	✓	✓	✓
SnarkProbe	DA	✓	✓	✗
CIVER	FV	✓	✗	✗
GNARK/Lean	FV	✓	✓	✓

zkHACK/CTF/Puzzles

• zkHACKs
• Paradigm CTF
• Paradigm CTF Infrastructure
• Open Zeppelin CTF
• Ingonyama CTF
• RareSkill ZK Puzzles
• cairo-damn-vulnerable
• starknet-security-challenges.app
• StarknetCC-CTF

writeups

• Secureum bootcamp/race writeup
• 2023 Ingonyama CTF WP by shuklaayush
• 2023 Ingonyama CTF Official WP

Lectures

Algebraic Error Correcting Codes

Miscellaneous

• "Security of ZKP projects: same but different" by JP Aumasson @ Taurus. Great slides outlining the different types of zk security vulnerabilities along with examples.
• 0xPARC zk-bug-tracker by 0xPARC and PSE.
• BUG bounty platform: code4rena, Immunefi.
• l2-security-framework by QuantStamp
• MyZKP: Building Zero Knowledge Proof from Scratch in Rust
• ZKP vulns dataset.

Acknowledgements

Special thanks go to the following individuals and organizations for their ongoing support and encouragement: Nullity.