0xPARC/zk-bug-tracker

More ZK bugs

veorq opened this issue · 5 comments

veorq commented

Great project, thank you!

I dont think these are listed (found while preparing my talks on ZKP security by asking friends and "doing my own research"):

Missing overflow check of a nullifier
a16z/zkdrops#2

Overflow again
ethereum-oasis-op/baseline#34

Field element inverse property not enforced
arkworks-rs/r1cs-std#70

Missing public input -> replay
https://starli.medium.com/filecoin-one-porep-vulnerability-found-by-trapdoor-tech-7fc7beb4557b

Timing attacks
https://eprint.iacr.org/2020/627.pdf

Missing (randomized) blinding to hide private inputs – not clear if really exploitable though
dusk-network/plonk#651

This one turned out to be non-exploitable (as clarified privately by the StarkWare team), but a similar behavior may be a problem in some cases
starkware-libs/cairo-lang#39

There are some other interesting ZK circuit bug types I've seen (concrete cases cant be disclosed yet):

  • Failing to enforce that a given constant is effectively the said constant value.

  • Failing to enforce constraints of correct padding in hash functions.

  • Failing to enforce soundness of a tree's structure or size.

  • Leakage on the witness from the proof's size.

Hope this helps, feel free to only include what you think is the most relevant/original.

This is great, thank you!! Will go through and add them once I get a chance.

Took a dive into the Timing attacks paper, but after some research it looks like they may not be that serious?
https://forum.zcashcommunity.com/t/churning-zcash-for-maximum-anonymity-and-privacy/40705/2

Likely going to add the EEA-OASIS and Arkworks bugs. Still need to take a look into the remaining 3.

ytrezq commented

Please also add Tornado Cash which was a classical missing constraint but the problem is https://crypto.stackexchange.com/q/103262

Here are other zk bugs other security researchers found, I want to list here, please merge it if you think they are awesome: