Increased Vulnerability of ZK Protocols Highlighted by Experts
Audits of DeFi projects based on zero-knowledge proof (ZK) technology revealed critical errors twice as often as in general cases, according to The Block, citing a report by Veridise.
Experts from the company analyzed 1605 vulnerabilities identified during 100 audits. They found an average of 16 issues per audit, with ZK projects slightly higher at 18 errors.
However, in terms of critical vulnerabilities, 55% (11 out of 20) of the ZK projects contained such issues compared to 27.5% (22 out of 80) in other audits.
According to experts, the security of ZK solutions is “simply more complex” due to difficult cryptographic constructs and the innovative nature of the protocols.
“Designing a ZK scheme requires precise justification of the semantics of operations in the witness generator. When these constructs are incorrectly coded due to constraints, you get errors. It is logical that there are more in [these] schemes, as they differ significantly from the typical programming paradigm,” explained Veridise co-founder and CEO John Stevens.
Overall, the most common vulnerabilities discovered during audits were logical errors (385), maintainability (355), and data validation (304). These categories accounted for 65% of all identified issues.
Veridise noted that insufficient maintainability, strictly speaking, does not relate to security vulnerabilities. However, poor coding practices are “a step away from creating critical vulnerabilities,” the team emphasized.
For ZK protocols, a specific problem was “insufficiently constrained circuits,” which led to a serious error with a 90% probability.
“[…] when the constraints of the arithmetic scheme do not sufficiently ensure all necessary conditions for verifying that some computations were performed correctly. They do not occur in traditional smart contracts,” the firm noted.
This means that an attacker could create a proof that deceitfully convinces the verifier to accept a false statement as true, seriously undermining the integrity of the protocol.
Earlier, ForkLog discussed the development of ZK protocols in 2024 in an exclusive article.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!